Merge pull request #39047 from rallytime/merge-2016.3

[2016.3] Merge forward from 2015.8 to 2016.3

doc/topics/releases/2015.8.13.rst

@@ -5,6 +5,26 @@ Salt 2015.8.13 Release Notes
 Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.
 
 
+Security Fixes
+==============
+
+CVE-2017-5192: local_batch client external authentication not respected
+
+The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
+credentials and so access to it from salt-api has been removed for now. This
+vulnerability allows code execution for already-authenticated users and is only
+in effect when running salt-api as the ``root`` user.
+
+CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via
+Salt's ssh_client
+
+Users of Salt-API and salt-ssh could execute a command on the salt master via a
+hole when both systems were enabled.
+
+We recommend everyone on the 2015.8 branch upgrade to a patched release as soon
+as possible.
+
+
 Changes for v2015.8.12..v2015.8.13
 ----------------------------------
 

doc/topics/releases/2015.8.14.rst

@@ -0,0 +1,5 @@
+============================
+Salt 2015.8.14 Release Notes
+============================
+
+Version 2015.8.14 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.