AVG-159 log

Package	salt
Status	Fixed
Severity	High
Type	multiple issues
Affected	2016.11.1-1
Fixed	2016.11.2-1
Current	Removed
Ticket	None
Created	Tue Jan 31 21:43:45 2017

Issue	Severity	Remote	Type	Description
CVE-2017-5200	High	Yes	Arbitrary command execution	Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt...
CVE-2017-5192	High	No	Arbitrary code execution	The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This...

Issue

Severity

Remote

Type

Description

CVE-2017-5200

High

Yes

Arbitrary command execution

Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client. Users of Salt-API and salt-ssh could execute a command on the salt...

CVE-2017-5192

High

Arbitrary code execution

The `LocalClient.cmd_batch()` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This...

Date	Advisory	Package	Type
31 Jan 2017	ASA-201701-41	salt	multiple issues

References
https://groups.google.com/forum/#!msg/salt-announce/eP_kQiQdnvo/6cvBrwsqCAAJ https://docs.saltstack.com/en/latest/topics/releases/2016.11.2.html