1
0

2016.3.8.rst 923 B

123456789101112131415161718192021222324252627282930
  1. ===========================
  2. Salt 2016.3.8 Release Notes
  3. ===========================
  4. Version 2016.3.8 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.
  5. Security Fix
  6. ============
  7. **CVE-2017-14695** Directory traversal vulnerability in minion id validation in
  8. SaltStack. Allows remote minions with incorrect credentials to authenticate to
  9. a master via a crafted minion ID. Credit for discovering the security flaw goes
  10. to: Julian Brost (julian@0x4a42.net)
  11. **CVE-2017-14696** Remote Denial of Service with a specially crafted
  12. authentication request. Credit for discovering the security flaw goes to:
  13. Julian Brost (julian@0x4a42.net)
  14. Changelog for v2016.3.7..v2016.3.8
  15. ==================================
  16. *Generated at: 2018-05-27 14:11:36 UTC*
  17. * 8cf08bd7be Update 2016.3.7 Release Notes
  18. * 0425defe84 Do not allow IDs with null bytes in decoded payloads
  19. * 31b38f50eb Don't allow path separators in minion ID