Salt 2017.7.1 Released - Security Advisory
Megan Wilhite
Salt 2017.7.1 is now live.
Release notes can be found here:
https://docs.saltstack.com/en/2017.7/topics/releases/2017.7.1.html
Instructions for installing the packages can be found here:
http://repo.saltstack.com/latest.html
Sources are available on PyPI:
https://pypi.python.org/pypi/salt/2017.7.1
----------------
2017.7.1 is a security release and contains minimal fixes. The following CVE was fixed as part of this release:
CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Ver...@qq.com
NOTE: We are still currently continuing the following release tasks and will update here when they are completed: Building Docs for Release (This includes Release Notes) and Testing the Downloads of Live Packages.
Megan Wilhite
Fedora 26 Packages
With the New Release of Fedora 26 we are now building packages for Fedora 26 going forward. The packages are currently waiting to go into the stable repo for 2017.7.1 and will be migrated soon.
Final 2017.7 Release of Fedora 24 Packages
End of Life Support for Fedora 24 ended August 8, 2017. As a result, 2017.7.0 is the last Salt release on this branch for which Fedora 24 packages are created