[3.5] salt: multiple issues (CVE-2017-5192, CVE-2017-5200)
CVE-2017-5192: local_batch client external authentication not respected
The `LocalClient.cmd_batch()` method client does not accept
`external_auth` credentials and so access to it from salt-api has
been
removed for now. This vulnerability allows code execution for already-
authenticated users and is only in effect when running salt-api as the
`root` user.
Fixed In Version:
salt 2015.8.13, salt 2016.3.5, salt 2016.11.2
Reference:
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html
CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via Salt’s ssh_client
Users of Salt-API and salt-ssh could execute a command on
the salt master via a hole when both systems were enabled.
Fixed In Version:
salt 2015.8.13, salt 2016.3.5, salt 2016.11.2
Reference:
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html
(from redmine: issue id 6803, created on 2017-02-02, closed on 2017-02-06)
- Changesets:
- Revision e8237cd8 by Sergei Lukin on 2017-02-06T09:19:25Z:
community/salt: security upgrade to 2016.11.2 - fixes #6803
CVE-2017-5192: local_batch client external authentication not respected
CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client