Update 2015.8.13 release notes (#39037)

2025-04-17 10:10:20 +00:00 · 2017-01-30 15:39:33 -07:00 · 2017-01-30 15:39:33 -07:00 · 5943fe65d3
commit 5943fe65d3
parent 6869621ed1
1 changed files with 20 additions and 0 deletions
--- a/doc/topics/releases/2015.8.13.rst
+++ b/doc/topics/releases/2015.8.13.rst
@ -5,6 +5,26 @@ Salt 2015.8.13 Release Notes
 Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.


+Security Fixes
+==============
+
+CVE-2017-5192: local_batch client external authentication not respected
+
+The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
+credentials and so access to it from salt-api has been removed for now. This
+vulnerability allows code execution for already-authenticated users and is only
+in effect when running salt-api as the ``root`` user.
+
+CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via
+Salt's ssh_client
+
+Users of Salt-API and salt-ssh could execute a command on the salt master via a
+hole when both systems were enabled.
+
+We recommend everyone on the 2015.8 branch upgrade to a patched release as soon
+as possible.
+
+
 Changes for v2015.8.12..v2015.8.13
 ----------------------------------