salt/doc/topics/releases/2015.8.13.rst

============================
Salt 2015.8.13 Release Notes
============================

Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.


Security Fixes
==============

CVE-2017-5192: local_batch client external authentication not respected

The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
credentials and so access to it from salt-api has been removed for now. This
vulnerability allows code execution for already-authenticated users and is only
in effect when running salt-api as the ``root`` user.

CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via
Salt's ssh_client

Users of Salt-API and salt-ssh could execute a command on the salt master via a
hole when both systems were enabled.

We recommend everyone on the 2015.8 branch upgrade to a patched release as soon
as possible.


Changes for v2015.8.12..v2015.8.13
----------------------------------

Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):

*Generated at: 2017-01-09T21:17:06Z*

Statistics:

- Total Merges: **3**
- Total Issue references: **3**
- Total PR references: **5**

Changes:

* 3428232 Clean up tests and docs for batch execution
* 3d8f3d1 Remove batch execution from NetapiClient and Saltnado
* 97b0f64 Lintfix
* d151666 Add explanation comment
* 62f2c87 Add docstring
* 9b0a786 Explain what it is about and how to configure that
* 5ea3579 Pick up a specified roster file from the configured locations
* 3a8614c Disable custom rosters in API
* c0e5a11 Add roster disable flag
Add release notes for 2015.8.13 2017-01-09 21:25:31 +00:00			`============================`
			`Salt 2015.8.13 Release Notes`
			`============================`

			Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.


Update 2015.8.13 release notes (#39037) 2017-01-30 22:39:33 +00:00			`Security Fixes`
			`==============`

			`CVE-2017-5192: local_batch client external authentication not respected`

			The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
			`credentials and so access to it from salt-api has been removed for now. This`
			`vulnerability allows code execution for already-authenticated users and is only`
			in effect when running salt-api as the ``root`` user.

			`CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via`
			`Salt's ssh_client`

			`Users of Salt-API and salt-ssh could execute a command on the salt master via a`
			`hole when both systems were enabled.`

			`We recommend everyone on the 2015.8 branch upgrade to a patched release as soon`
			`as possible.`


Add release notes for 2015.8.13 2017-01-09 21:25:31 +00:00			`Changes for v2015.8.12..v2015.8.13`
			`----------------------------------`

			`Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):`

			`Generated at: 2017-01-09T21:17:06Z`

			`Statistics:`

			`- Total Merges: 3`
			`- Total Issue references: 3`
			`- Total PR references: 5`

			`Changes:`

			`* 3428232 Clean up tests and docs for batch execution`
			`* 3d8f3d1 Remove batch execution from NetapiClient and Saltnado`
			`* 97b0f64 Lintfix`
			`* d151666 Add explanation comment`
			`* 62f2c87 Add docstring`
			`* 9b0a786 Explain what it is about and how to configure that`
			`* 5ea3579 Pick up a specified roster file from the configured locations`
			`* 3a8614c Disable custom rosters in API`
			`* c0e5a11 Add roster disable flag`