Salt 2016.11.7 Released - Security Advisory
Megan Wilhite
Salt 2016.11.7 is now live.
Release notes can be found here:
https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html
Instructions for installing the packages can be found here:
http://repo.saltstack.com/2016.11.html
Sources are available on PyPI:
https://pypi.python.org/pypi/salt/2016.11.7
----------------
2016.11.7 is a security release and contains minimal fixes. The following CVE was fixed as part of this release:
CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Ver...@qq.com
NOTE: We are still currently continuing the following release tasks and will update here when they are completed: Building Docs for Release (This includes Release Notes) and Testing the Downloads of Live Packages.