AVG-159

Package salt
Status Fixed
Severity High
Type multiple issues
Affected 2016.11.1-1
Fixed 2016.11.2-1
Current 2018.3.1-1 [community]
Ticket None
Created Tue Jan 31 21:43:45 2017
Issue Severity Remote Type Description
CVE-2017-5200 High Yes Arbitrary command execution
Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt...
CVE-2017-5192 High No Arbitrary code execution
The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This...
Date Advisory Package Description
31 Jan 2017 ASA-201701-41 salt multiple issues
References
https://groups.google.com/forum/#!msg/salt-announce/eP_kQiQdnvo/6cvBrwsqCAAJ
https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html