ArchLinux: 201701-41: salt: multiple issues
Summary
- CVE-2017-5192 (arbitrary code execution)
The `LocalClient.cmd_batch()` method client does not accept
`external_auth` credentials and so access to it from salt-api has been
removed for now. This vulnerability allows code execution for already-
authenticated users and is only in effect when running salt-api as the
`root` user.
- CVE-2017-5200 (arbitrary command execution)
Salt-api allows arbitrary command execution on a salt-master via Salt's
ssh_client. Users of Salt-API and salt-ssh could execute a command on
the salt master via a hole when both systems were enabled.
Resolution
Upgrade to 2016.11.2-1.
# pacman -Syu "salt>=2016.11.2-1"
The problems have been fixed upstream in version 2016.11.2.
References
https://groups.google.com/forum/#!msg/salt-announce/eP_kQiQdnvo/6cvBrwsqCAAJ https://docs.saltproject.io/en/latest/topics/releases/2016.11.2.html https://security.archlinux.org/CVE-2017-5192 https://security.archlinux.org/CVE-2017-5200
Workaround
None.