salt/doc/topics/releases/2015.5.10.rst
Erik Johnson 93ee5ee2b0
Fix all Sphinx warnings
Well, all but one, which we expect to see
2018-05-31 15:28:25 -05:00

47 lines
1.4 KiB
ReStructuredText

============================
Salt 2015.5.10 Release Notes
============================
:release: 2015-03-22
Version 2015.5.10 is a bugfix release for :ref:`2015.5.0 <release-2015-5-0>`.
Security Fix
============
**CVE-2016-3176** Insecure configuration of PAM external authentication service
This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM
:ref:`external authentication <acl-eauth>` is enabled. This issue involves
passing an alternative PAM authentication service with a command that is sent
to :ref:`LocalClient <local-client>`, enabling the attacker to bypass the
configured authentication service. Thank you to Dylan Frese <dmfrese@gmail.com>
for bringing this issue to our attention.
This update defines the PAM eAuth ``service`` that users authenticate against
in the Salt Master configuration.
No additional fixes are included in this release.
Read Before Upgrading Debian 8 (Jessie) from Salt Versions Earlier than 2015.5.9
================================================================================
Salt ``systemd`` service files are missing the following statement in these versions:
.. code-block:: ini
[Service]
KillMode=process
This statement must be added to successfully upgrade on these earlier versions
of Salt.
Changelog for v2015.5.9..v2015.5.10
===================================
*Generated at: 2018-05-27 22:39:26 UTC*
* 69ba1de71d Remove ability of authenticating user to specify pam service