saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add release notes for 3000.2

Browse source
This commit is contained in:
Daniel A. Wozniak 2020-04-13 07:09:05 +00:00 committed by Daniel Wozniak
parent af10a8e5a1
commit bf41cef232
1 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
doc/topics/releases/3000.2.rst Normal file
View file

@ -0,0 +1,24 @@
===========================
Salt 3000.2 Release Notes
===========================
Version 3000.2 is a CVE-fix release for :ref:`3000 <release-3000>`.
Security Fix
============
**CVE-2020-11651**
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt-master process ClearFuncs class does not properly validate
method calls. This allows a remote user to access some methods without
authentication. These methods can be used to retrieve user tokens from
the salt master and/or run arbitrary commands on salt minions.
**CVE-2020-11652**
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.