Merge pull request #56095 from waynew/crypto-warning

Provide security advisory for PyCrypto

README.rst

@@ -34,6 +34,14 @@ documentation.
 
 `<https://docs.saltstack.com/en/latest/>`_
 
+Security Advisory
+=================
+
+For historical reasons, Salt requires PyCrypto as a "lowest common
+denominator". However, `PyCrypto is unmaintained`_ and best practice is to
+manually upgrade to use a more maintained library such as `PyCryptodome`_. See
+`Issue #52674`_ and `Issue #54115`_ for more info
+
 Engage SaltStack
 ================
 
@@ -66,3 +74,7 @@ services`_ offerings.
 .. _SaltStack education offerings: http://saltstack.com/training/
 .. _SaltStack Certified Engineer (SSCE): http://saltstack.com/certification/
 .. _SaltStack professional services: http://saltstack.com/services/
+.. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
+.. _PyCryptodome: https://pypi.org/project/pycryptodome/
+.. _Issue #52674: https://github.com/saltstack/salt/issues/52674
+.. _Issue #54115: https://github.com/saltstack/salt/issues/54115

doc/topics/hardening.rst

@@ -10,6 +10,20 @@ heavily on how you use Salt, where you use Salt, how your team is structured,
 where you get data from, and what kinds of access (internal and external) you
 require.
 
+.. warning::
+
+    For historical reasons, Salt requires PyCrypto as a "lowest common
+    denominator". However, `PyCrypto is unmaintained`_ and best practice is to
+    manually upgrade to use a more maintained library such as `PyCryptodome`_. See
+    `Issue #52674`_ and `Issue #54115`_ for more info
+
+
+.. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
+.. _PyCryptodome: https://pypi.org/project/pycryptodome/
+.. _Issue #52674: https://github.com/saltstack/salt/issues/52674
+.. _Issue #54115: https://github.com/saltstack/salt/issues/54115
+
+
 General hardening tips
 ======================
 

doc/topics/installation/index.rst

@@ -104,6 +104,21 @@ Salt should run on any Unix-like platform so long as the dependencies are met.
   * `PyCrypto`_ - The Python cryptography toolkit
 
 
+.. warning::
+
+    For historical reasons, Salt requires PyCrypto as a "lowest common
+    denominator". However, `PyCrypto is unmaintained`_ and best practice is to
+    manually upgrade to use a more maintained library such as `PyCryptodome`_. See
+    `Issue #52674`_ and `Issue #54115`_ for more info
+
+
+.. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
+.. _PyCryptodome: https://pypi.org/project/pycryptodome/
+.. _Issue #52674: https://github.com/saltstack/salt/issues/52674
+.. _Issue #54115: https://github.com/saltstack/salt/issues/54115
+
+
+
 Salt defaults to the `ZeroMQ`_ transport. The ``--salt-transport`` installation
 option is available, but currently only supports the ``szeromq`` option. This
 may be expanded in the future.
@@ -178,3 +193,4 @@ dependencies, from which a platform specific repository can be built.
 
 https://github.com/saltstack/salt-pack
 
+

doc/topics/releases/3000.rst

@@ -4,6 +4,14 @@
 Salt 3000 Release Notes - Codename Neon
 =======================================
 
+Security Advisory
+=================
+
+For historical reasons, Salt requires PyCrypto as a "lowest common
+denominator". However, `PyCrypto is unmaintained`_ and best practice is to
+manually upgrade to use a more maintained library such as `PyCryptodome`_. See
+`Issue #52674`_ and `Issue #54115`_ for more info
+
 New Versioning
 ==============
 The neon release has removed the date versioning. Going forward we will
@@ -859,3 +867,9 @@ salt.auth.Authorize Class Removal
 - The salt.auth.Authorize Class inside of the `salt/auth/__init__.py` file has been removed and
   the `any_auth` method inside of the file `salt/utils/minions.py`. These method and classes were
   not being used inside of the salt code base.
+
+
+.. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
+.. _PyCryptodome: https://pypi.org/project/pycryptodome/
+.. _Issue #52674: https://github.com/saltstack/salt/issues/52674
+.. _Issue #54115: https://github.com/saltstack/salt/issues/54115