saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update 3000.2 release notes

Browse source
This commit is contained in:
Frode Gundersen 2020-04-28 22:47:18 +00:00 committed by Daniel Wozniak
parent bf41cef232
commit c2bef0df93
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
doc/topics/releases/3000.2.rst
View file

@ -22,3 +22,20 @@ An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2
The salt-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.
Known Issue
===========
Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
The name of one of these whitlisted methods on AESFuncs had a typo.
The _minion_runner method should be minion_runner (without the underscore prefix).
This typo breaks the publish modules runner method.
Calling runners, for example:
.. code-block:: bash
salt minion publish.runner manage.down
Will not work, and you will receive and empty reply from the salt master.