Skip to content

Commit

Permalink
Merge pull request #8 from saltstack/releasenotes_30002
Browse files Browse the repository at this point in the history
Update 3000.2 release notes
  • Loading branch information
dwoz authored Apr 29, 2020
2 parents 3d99b10 + 2ac6634 commit 37668c3
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions doc/topics/releases/3000.2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,22 @@ An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2
The salt-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.


Known Issue
===========

Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
The name of one of these whitlisted methods on AESFuncs had a typo.
The _minion_runner method should be minion_runner (without the underscore prefix).
This typo breaks the publish module’s runner method.
Calling runners, for example:

.. code-block:: bash
salt minion publish.runner manage.down
Will not work, and you will receive and empty reply from the salt master.

This will be addressed in the Sodium release of Salt set for mid-June 2020.

0 comments on commit 37668c3

Please sign in to comment.