Update 2015.8.13 release notes (#39037)

saltstack · Jan 30, 2017 · 5943fe6 · 5943fe6
1 parent 6869621
commit 5943fe6
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/doc/topics/releases/2015.8.13.rst b/doc/topics/releases/2015.8.13.rst
@@ -5,6 +5,26 @@ Salt 2015.8.13 Release Notes
 Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`.
 
 
+Security Fixes
+==============
+
+CVE-2017-5192: local_batch client external authentication not respected
+
+The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth``
+credentials and so access to it from salt-api has been removed for now. This
+vulnerability allows code execution for already-authenticated users and is only
+in effect when running salt-api as the ``root`` user.
+
+CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via
+Salt's ssh_client
+
+Users of Salt-API and salt-ssh could execute a command on the salt master via a
+hole when both systems were enabled.
+
+We recommend everyone on the 2015.8 branch upgrade to a patched release as soon
+as possible.
+
+
 Changes for v2015.8.12..v2015.8.13
 ----------------------------------