Update 2016.11.2 release notes (#39039)

2025-04-17 10:10:20 +00:00 · 2017-01-30 15:40:00 -07:00 · 2017-01-30 15:40:00 -07:00 · 424e68436e
commit 424e68436e
parent a7fc02e196
1 changed files with 21 additions and 1 deletions
--- a/doc/topics/releases/2016.11.2.rst
+++ b/doc/topics/releases/2016.11.2.rst
@ -4,8 +4,28 @@ Salt 2016.11.2 Release Notes

 Version 2016.11.2 is a bugfix release for :ref:`2016.11.0 <release-2016-11-0>`.

+
+Security Fixes
+==============
+
+CVE-2017-5192: local_batch client external authentication not respected
+
+The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
+credentials and so access to it from salt-api has been removed for now. This
+vulnerability allows code execution for already-authenticated users and is only
+in effect when running salt-api as the ``root`` user.
+
+CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via
+Salt's ssh_client
+
+Users of Salt-API and salt-ssh could execute a command on the salt master via a
+hole when both systems were enabled.
+
+We recommend everyone upgrade to 2016.11.2 as soon as possible.
+
+
 Changes for v2016.11.1..v2016.11.2
----------------------------------------
+----------------------------------

 Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):