saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge changes from 2019.2.5 and 3000.3

Browse source
This commit is contained in:
Frode Gundersen 2020-04-30 14:31:14 +00:00 committed by Daniel Wozniak
parent 6a6cc254c0
commit 5ab6ff8f48
23 changed files with 337 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
CHANGELOG.md
View file

@ -23,10 +23,11 @@ Versions are `MAJOR.PATCH`.
- [#56637](https://github.com/saltstack/salt/pull/56637) - Add ``win_wua.installed`` to the ``win_wua`` execution module
## 3000.1
### 3000.3
### Removed
### Fixed
- [#57100](https://github.com/saltstack/salt/pull/57100) - Address Issues in CVE Release
### Deprecated
### Changed
- [#56751](https://github.com/saltstack/salt/pull/56751) - Backport 49981
@ -50,6 +51,13 @@ Versions are `MAJOR.PATCH`.
### Changed
- [#56730](https://github.com/saltstack/salt/pull/56730) - Backport #52992
### 3000.2
### Fixed
- [#56987](https://github.com/saltstack/salt/pull/56987) - CVE fix
### 3000.1
### Fixed
@ -86,7 +94,7 @@ Versions are `MAJOR.PATCH`.
### Added
## 3000 - Neon [2020-02-10]
### 3000 - Neon [2020-02-10]
### Removed

2
doc/man/salt-api.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-API" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-API" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-api \- salt-api Command
.

2
doc/man/salt-call.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CALL" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-CALL" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-call \- salt-call Documentation
.

2
doc/man/salt-cloud.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CLOUD" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-CLOUD" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-cloud \- Salt Cloud Command
.

2
doc/man/salt-cp.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CP" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-CP" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-cp \- salt-cp Documentation
.

2
doc/man/salt-key.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-KEY" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-KEY" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-key \- salt-key Documentation
.

2
doc/man/salt-master.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MASTER" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-MASTER" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-master \- salt-master Documentation
.

2
doc/man/salt-minion.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MINION" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-MINION" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-minion \- salt-minion Documentation
.

2
doc/man/salt-proxy.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-PROXY" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-PROXY" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-proxy \- salt-proxy Documentation
.

2
doc/man/salt-run.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-RUN" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-RUN" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-run \- salt-run Documentation
.

2
doc/man/salt-ssh.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SSH" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-SSH" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-ssh \- salt-ssh Documentation
.

2
doc/man/salt-syndic.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SYNDIC" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-SYNDIC" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-syndic \- salt-syndic Documentation
.

2
doc/man/salt-unity.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-UNITY" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT-UNITY" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt-unity \- salt-unity Command
.

2
doc/man/salt.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt \- salt
.

91
doc/man/salt.7
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT" "7" "Apr 14, 2020" "3000.2" "Salt"
.TH "SALT" "7" "May 05, 2020" "3000.3" "Salt"
.SH NAME
salt \- Salt Documentation
.
@ -24731,6 +24731,11 @@ Run masterless\-mode minions on
particularly sensitive minions. There is also salt\-ssh or the
\fBmodules.sudo\fP if you need to further restrict
a minion.
.IP \(bu 2
Monitor specific security releated log messages. Salt \fBsalt\-master\fP logs
attempts to access methods which are not exposed to network clients. These log
messages are logged at the \fBerror\fP log level and start with \fBRequested
method not exposed\fP\&.
.UNINDENT
.SS Security disclosure policy
.INDENT 0.0
@ -182965,7 +182970,7 @@ Passes through all the parameters described in the
\fI\%utils.http.query function\fP:
.INDENT 7.0
.TP
.B salt.utils.http.query(url, method=u\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=u\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=u\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=u\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=u\(aqSalt/3000.1\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, **kwargs)
.B salt.utils.http.query(url, method=u\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=u\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=u\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=u\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=u\(aqSalt/3000.2\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, **kwargs)
Query a resource, and decode the return data
.UNINDENT
.INDENT 7.0
@ -434701,6 +434706,47 @@ a5179434e7 Merge branch \(aqmaster\(aq into pdbedit_55185
95d46d6cc8 \fI\%#55185\fP pdbedit module should check for version 4.8.x or newer
.UNINDENT
.UNINDENT
.SS Salt 3000.2 Release Notes
.sp
Version 3000.2 is a CVE\-fix release for 3000\&.
.SS Security Fix
.sp
\fBCVE\-2020\-11651\fP
.sp
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt\-master process ClearFuncs class does not properly validate
method calls. This allows a remote user to access some methods without
authentication. These methods can be used to retrieve user tokens from
the salt master and/or run arbitrary commands on salt minions.
.sp
\fBCVE\-2020\-11652\fP
.sp
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt\-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.
.SS Known Issue
.sp
Part of the fix for CVE\-2020\-11651 added better validation of the methods allowed to be called by remote clients.
Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
The name of one of these whitlisted methods on AESFuncs had a typo.
The _minion_runner method should be minion_runner (without the underscore prefix).
This typo breaks the publish modules runner method.
Calling runners, for example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt minion publish.runner manage.down
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Will not work, and you will receive and empty reply from the salt master.
.sp
This will be addressed in the Sodium release of Salt set for mid\-June 2020.
.SS Salt 2019.2.0 Release Notes \- Codename Fluorine
.SS Python 2.7 Deprecation
.sp
@ -444372,6 +444418,47 @@ With the Salt NetAPI enabled in addition to having a SSH roster defined,
unauthenticated access is possible when specifying the client as SSH.
Additionally, when the raw_shell option is specified any arbitrary command
may be run on the Salt master when specifying SSH options.
.SS Salt 2019.2.4 Release Notes
.sp
Version 2019.2.4 is a CVE\-fix release for 2019.2.0\&.
.SS Security Fix
.sp
\fBCVE\-2020\-11651\fP
.sp
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt\-master process ClearFuncs class does not properly validate
method calls. This allows a remote user to access some methods without
authentication. These methods can be used to retrieve user tokens from
the salt master and/or run arbitrary commands on salt minions.
.sp
\fBCVE\-2020\-11652\fP
.sp
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt\-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.
.SS Known Issue
.sp
Part of the fix for CVE\-2020\-11651 added better validation of the methods allowed to be called by remote clients.
Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
The name of one of these whitlisted methods on AESFuncs had a typo.
The _minion_runner method should be minion_runner (without the underscore prefix).
This typo breaks the publish modules runner method.
Calling runners, for example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt minion publish.runner manage.down
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Will not work, and you will receive and empty reply from the salt master.
.sp
This will be addressed in the Sodium release of Salt set for mid\-June 2020.
.SS Salt 2018.3.0 Release Notes \- Codename Oxygen
.sp
\fBWARNING:\fP

2
doc/man/spm.1
View file

@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SPM" "1" "Apr 14, 2020" "3000.2" "Salt"
.TH "SPM" "1" "May 05, 2020" "3000.3" "Salt"
.SH NAME
spm \- Salt Package Manager Command
.

19
doc/topics/releases/2019.2.4.rst
View file

@ -22,3 +22,22 @@ An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2
The salt-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.
Known Issue
===========
Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
The name of one of these whitlisted methods on AESFuncs had a typo.
The _minion_runner method should be minion_runner (without the underscore prefix).
This typo breaks the publish modules runner method.
Calling runners, for example:
.. code-block:: bash
salt minion publish.runner manage.down
Will not work, and you will receive and empty reply from the salt master.
This will be addressed in the Sodium release of Salt set for mid-June 2020.

52
doc/topics/releases/2019.2.5.rst Normal file
View file

@ -0,0 +1,52 @@
===========================
Salt 2019.2.5 Release Notes
===========================
Version 2019.2.5 is a bug-fix release for :ref:`2019.2.0 <release-2019-2-0>`.
Statistics
==========
- Total Merges: **2**
- Total Issue References: **2**
- Total PR References: **2**
- Contributors: **2** (`dwoz`_, `frogunder`_)
Changelog for v2019.2.4..v2019.2.5
==================================
*Generated at: 2020-05-05 22:43:12 UTC*
* **PR** `#57096`_: (`frogunder`_) Update man_pages 2019.2.5
@ *2020-05-05 22:10:46 UTC*
* 6877b7259a Merge pull request `#57096`_ from frogunder/man_pages_2019.2.5
* 58ea351a59 Update man_pages 2019.2.5
* **ISSUE** `#57027`_: (`ecarson`_) [BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix (refs: `#57090`_)
* **ISSUE** `#57016`_: (`idontwanttosignin`_) [BUG] Requested method not exposed: minion_runner (refs: `#57090`_)
* **PR** `#57090`_: (`dwoz`_) Address Issues in CVE Release
@ *2020-05-05 22:09:25 UTC*
* 8fe0f66f94 Merge pull request `#57090`_ from dwoz/bugs_n_stuff
* f3e8590bac Describe SEPs
* aa1a9d340d Update hardening doc to mention 4505/4506
* ca303f7c0c Add link to salt-announce to documentation
* c63253ef9c Address issues in cve release
.. _`#57016`: https://github.com/saltstack/salt/issues/57016
.. _`#57027`: https://github.com/saltstack/salt/issues/57027
.. _`#57090`: https://github.com/saltstack/salt/pull/57090
.. _`#57096`: https://github.com/saltstack/salt/pull/57096
.. _`dwoz`: https://github.com/dwoz
.. _`ecarson`: https://github.com/ecarson
.. _`frogunder`: https://github.com/frogunder
.. _`idontwanttosignin`: https://github.com/idontwanttosignin

39
doc/topics/releases/3000.3.rst Normal file
View file

@ -0,0 +1,39 @@
===========================
Salt 3000.3 Release Notes
===========================
Version 3000.3 is a bug-fix release for :ref:`3000 <release-3000>`.
Statistics
==========
- Total Merges: **2**
- Total Issue References: **2**
- Total PR References: **2**
- Contributors: **2** (`dwoz`_, `frogunder`_)
Changelog for v3000.2..v3000.3
==============================
*Generated at: 2020-05-06 02:53:12 UTC*
* **PR** `#57097`_: (`frogunder`_) Update man_pages 3000.3
@ *2020-05-05 22:13:09 UTC*
* **ISSUE** `#57027`_: (`ecarson`_) [BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix (refs: `#57100`_)
* **ISSUE** `#57016`_: (`idontwanttosignin`_) [BUG] Requested method not exposed: minion_runner (refs: `#57100`_)
* **PR** `#57100`_: (`dwoz`_) Address Issues in CVE Release
@ *2020-05-05 22:09:25 UTC*
.. _`#57016`: https://github.com/saltstack/salt/issues/57016
.. _`#57027`: https://github.com/saltstack/salt/issues/57027
.. _`#57097`: https://github.com/saltstack/salt/pull/57097
.. _`#57100`: https://github.com/saltstack/salt/pull/57100
.. _`dwoz`: https://github.com/dwoz
.. _`ecarson`: https://github.com/ecarson
.. _`frogunder`: https://github.com/frogunder
.. _`idontwanttosignin`: https://github.com/idontwanttosignin

5
salt/master.py
View file

@ -1243,16 +1243,15 @@ class AESFuncs(TransportMethods):
"_handle_minion_event",
"_return",
"_syndic_return",
"_minion_runner",
"minion_runner",
"pub_ret",
"minion_pub",
"minion_publish",
"revoke_auth",
"run_func",
"_serve_file",
"_file_find",
"_file_hash",
"_file_find_and_stat",
"_file_hash_and_stat",
"_file_list",
"_file_list_emptydirs",
"_dir_list",

1
salt/wheel/config.py
View file

@ -11,6 +11,7 @@ import os
# Import salt libs
import salt.config
import salt.utils.files
import salt.utils.verify
import salt.utils.yaml
# Import 3rd-party libs

3
tests/integration/master/test_clear_funcs.py
View file

@ -150,8 +150,9 @@ class ClearFuncsConfigTest(ConfigMixin, TestCase):
}
ret = clear_channel.send(msg, timeout=5)
assert not os.path.exists(
self.evil_file_path
os.path.join(self.conf_dir, "evil.conf")
), "Wrote file via directory traversal"
assert ret["data"]["return"] == "Invalid path"
class ClearFuncsFileRoots(ConfigMixin, TestCase):

108
tests/unit/test_master.py
View file

@ -24,6 +24,114 @@ class TransportMethodsTest(TestCase):
assert foo.get_method("bar") is not None
assert foo.get_method("bang") is None
def test_aes_funcs_white(self):
"""
Validate methods exposed on AESFuncs exist and are callable
"""
opts = salt.config.master_config(None)
aes_funcs = salt.master.AESFuncs(opts)
for name in aes_funcs.expose_methods:
func = getattr(aes_funcs, name, None)
assert callable(func)
def test_aes_funcs_black(self):
"""
Validate methods on AESFuncs that should not be called remotely
"""
opts = salt.config.master_config(None)
aes_funcs = salt.master.AESFuncs(opts)
# Any callable that should not explicitly be allowed should be added
# here.
blacklist_methods = [
"_AESFuncs__setup_fileserver",
"_AESFuncs__verify_load",
"_AESFuncs__verify_minion",
"_AESFuncs__verify_minion_publish",
"__class__",
"__delattr__",
"__dir__",
"__eq__",
"__format__",
"__ge__",
"__getattribute__",
"__gt__",
"__hash__",
"__init__",
"__init_subclass__",
"__le__",
"__lt__",
"__ne__",
"__new__",
"__reduce__",
"__reduce_ex__",
"__repr__",
"__setattr__",
"__sizeof__",
"__str__",
"__subclasshook__",
"get_method",
"run_func",
]
for name in dir(aes_funcs):
if name in aes_funcs.expose_methods:
continue
if not callable(getattr(aes_funcs, name)):
continue
assert name in blacklist_methods, name
def test_clear_funcs_white(self):
"""
Validate methods exposed on ClearFuncs exist and are callable
"""
opts = salt.config.master_config(None)
clear_funcs = salt.master.ClearFuncs(opts, {})
for name in clear_funcs.expose_methods:
func = getattr(clear_funcs, name, None)
assert callable(func)
def test_clear_funcs_black(self):
"""
Validate methods on ClearFuncs that should not be called remotely
"""
opts = salt.config.master_config(None)
clear_funcs = salt.master.ClearFuncs(opts, {})
blacklist_methods = [
"__class__",
"__delattr__",
"__dir__",
"__eq__",
"__format__",
"__ge__",
"__getattribute__",
"__gt__",
"__hash__",
"__init__",
"__init_subclass__",
"__le__",
"__lt__",
"__ne__",
"__new__",
"__reduce__",
"__reduce_ex__",
"__repr__",
"__setattr__",
"__sizeof__",
"__str__",
"__subclasshook__",
"_prep_auth_info",
"_prep_jid",
"_prep_pub",
"_send_pub",
"_send_ssh_pub",
"get_method",
]
for name in dir(clear_funcs):
if name in clear_funcs.expose_methods:
continue
if not callable(getattr(clear_funcs, name)):
continue
assert name in blacklist_methods, name
class ClearFuncsTestCase(TestCase):
"""