doc/topics/releases/2015.5.10.rst
:release: 2015-03-22
Version 2015.5.10 is a bugfix release for :ref:2015.5.0 <release-2015-5-0>.
CVE-2016-3176 Insecure configuration of PAM external authentication service
This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM
:ref:external authentication <acl-eauth> is enabled. This issue involves
passing an alternative PAM authentication service with a command that is sent
to :ref:LocalClient <local-client>, enabling the attacker to bypass the
configured authentication service. Thank you to Dylan Frese [email protected]
for bringing this issue to our attention.
This update defines the PAM eAuth service that users authenticate against
in the Salt Master configuration.
No additional fixes are included in this release.
Salt systemd service files are missing the following statement in these versions:
.. code-block:: ini
[Service]
KillMode=process
This statement must be added to successfully upgrade on these earlier versions of Salt.
Generated at: 2018-05-27 22:39:26 UTC