mirror of
https://github.com/saltstack/salt.git
synced 2025-04-16 09:40:20 +00:00
023528b3b1
* Fix CVE-2020-16846 Stop calling Popen with shell=True to prevent shell injection attacks on the netapi salt-ssh client. * Add tests to verify strict permissions on private keys * Set mode of key files to 0600 instead of leaving them world readable * Apply pre-commit fixes * Open files with proper permissions * Add cve id to changelog * Security docs updates with newer resource links * Changelog/Releasenotes update 3001.2 * Add man_pages 3001.2 * cve-2020-17490 consistancy hotfix * Tests and fix for CVE-2020-25592 * Update man pages 3001.3 * Clear up requirements for salt-api+ssh * Add ssh_options to roster docs * Update changelog / releasenotes 3001.3 * Do not overwrite master keys salt-api should not overwrite the master's keys when it starts up. Give salt-api it's own cache directory and set of keys. * Update for 3002.1 Release * Update releasenotes * Fix typos and pre-commit * Fix spelling issue * Fix pre-commit * Update 2019.2.6.rst Fix doc Co-authored-by: Jasper Lievisse Adriaanse <j@jasper.la> Co-authored-by: ScriptAutomate <derek@icanteven.io> Co-authored-by: Frode Gundersen <fgundersen@saltstack.com> Co-authored-by: Ken Crowell <kcrowell@saltstack.com> Co-authored-by: Sage the Rage <36676171+sagetherage@users.noreply.github.com>
476 B
476 B
Salt 3001.3 Release Notes
Version 3001.3 is a CVE fix release for 3001 <release-3001>.
Fixed
- Properly validate eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh. (CVE-2020-25592)