-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
.. _release-3000-7: | ||
|
||
=========================== | ||
Salt 3000.7 Release Notes | ||
=========================== | ||
|
||
Version 3000.7 is a CVE fix release for :ref:`3000 <release-3000>`. | ||
|
||
Fixed | ||
----- | ||
|
||
- CVE-2020-28243 - Fix local privilege escalation in the restartcheck module. | ||
|
||
- CVE-2020-28972 - Ensure authentication to vcenter, vsphere, and esxi server | ||
validates the SSL/TLS certificate by default. If you want to skip SSL verification | ||
you can use `verify_ssl: False`. | ||
|
||
- CVE-2020-35662 - Ensure the asam runner, qingcloud, splunk returner, panos | ||
proxy, cimc proxy, zenoss module, esxi module, vsphere module, glassfish | ||
module, bigip module, and keystone module validate SSL by default. If you want | ||
to skip SSL verification you can use `verify_ssl: False`. | ||
|
||
- CVE-2021-3148 - Fix a command injection in the Salt-API when using the | ||
Salt-SSH client. | ||
|
||
- CVE-2021-3144 - Fix eauth tokens can be used once after expiration | ||
|
||
- CVE-2021-25281 - Fix salt-api so it honors eauth credentials for the | ||
wheel_async client. | ||
|
||
- CVE-2021-25282 - Fix the salt.wheel.pillar_roots.write method so it is not | ||
vulnerable to directory traversal. | ||
|
||
- CVE-2021-25283 - Fix the jinja render to protect against server side template | ||
injection attacks. | ||
|
||
- CVE-2021-25284 - Fix cmdmod so it will not log credentials to log levels info | ||
and error. | ||
|
||
- CVE-2021-3197 - Fix ssh client to remove ProxyCommand from arguments provided | ||
by cli and netapi. |