Salt 2016.3.7 Released - Security Advisory
Megan Wilhite
Salt 2016.3.7 is now live.
Release notes can be found here:
https://docs.saltstack.com/en/2016.3/topics/releases/2016.3.7.html
Instructions for installing the packages can be found here:
http://repo.saltstack.com/2016.3.html
Sources are available on PyPI:
https://pypi.python.org/pypi/salt/2016.3.7
----------------
2017.6.7 is a security release and contains minimal fixes. The following CVE was fixed as part of this release:
CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Ver...@qq.com
NOTE: We are still currently continuing the following release tasks and will update here when they are completed: Building Docs for Release (This includes Release Notes) and Testing the Downloads of Live Packages.
----------------
Please note that the 2016.3 branch is in Phase 3 (CVE-only) support until November 2017 at which time it will enter extended-life support.
For more information on our branch lifecycles and product support, see: https://saltstack.com/product-support-lifecycle/