diff --git a/CHANGELOG.md b/CHANGELOG.md index afe1a10c6693..51972aaf5168 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,18 @@ Versions are `MAJOR.PATCH`. # Changelog +Salt 3002.8 (2022-02-25) +======================== + +Security +-------- + +- Sign authentication replies to prevent MiTM (cve-2020-22935) +- Sign pillar data to prevent MiTM attacks. (cve-2022-22934) +- Prevent job and fileserver replays (cve-2022-22936) +- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413) + + Salt 3002.7 (2021-08-20) ======================== diff --git a/changelog/60413.security b/changelog/60413.security deleted file mode 100644 index 14eecd9b0d2f..000000000000 --- a/changelog/60413.security +++ /dev/null @@ -1 +0,0 @@ -Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) diff --git a/changelog/cve-2020-22935.security b/changelog/cve-2020-22935.security deleted file mode 100644 index fd26c907b643..000000000000 --- a/changelog/cve-2020-22935.security +++ /dev/null @@ -1 +0,0 @@ -Sign authentication replies to prevent MiTM diff --git a/changelog/cve-2022-22934.security b/changelog/cve-2022-22934.security deleted file mode 100644 index 7e6c0ceccaf0..000000000000 --- a/changelog/cve-2022-22934.security +++ /dev/null @@ -1 +0,0 @@ -Sign pillar data to prevent MiTM attacks. diff --git a/changelog/cve-2022-22936.security b/changelog/cve-2022-22936.security deleted file mode 100644 index f33fdc83d4ad..000000000000 --- a/changelog/cve-2022-22936.security +++ /dev/null @@ -1 +0,0 @@ -Prevent job and fileserver replays diff --git a/doc/man/salt-api.1 b/doc/man/salt-api.1 index 00ca90af0219..8fe31b96dc3c 100644 --- a/doc/man/salt-api.1 +++ b/doc/man/salt-api.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-API" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-API" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-api \- salt-api Command . diff --git a/doc/man/salt-call.1 b/doc/man/salt-call.1 index 092773a59cac..2b807f56d859 100644 --- a/doc/man/salt-call.1 +++ b/doc/man/salt-call.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CALL" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-CALL" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-call \- salt-call Documentation . diff --git a/doc/man/salt-cloud.1 b/doc/man/salt-cloud.1 index 64349c4610bc..a18ab174cfdf 100644 --- a/doc/man/salt-cloud.1 +++ b/doc/man/salt-cloud.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CLOUD" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-CLOUD" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-cloud \- Salt Cloud Command . diff --git a/doc/man/salt-cp.1 b/doc/man/salt-cp.1 index ece265b3862e..20edab0ea122 100644 --- a/doc/man/salt-cp.1 +++ b/doc/man/salt-cp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CP" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-CP" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-cp \- salt-cp Documentation . diff --git a/doc/man/salt-key.1 b/doc/man/salt-key.1 index 32fdb11b3a47..956b9df39dd3 100644 --- a/doc/man/salt-key.1 +++ b/doc/man/salt-key.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-KEY" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-KEY" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-key \- salt-key Documentation . diff --git a/doc/man/salt-master.1 b/doc/man/salt-master.1 index 87f30a6ca296..73c50bf12857 100644 --- a/doc/man/salt-master.1 +++ b/doc/man/salt-master.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MASTER" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-MASTER" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-master \- salt-master Documentation . diff --git a/doc/man/salt-minion.1 b/doc/man/salt-minion.1 index b1b54dbbb219..d9bee0c9f746 100644 --- a/doc/man/salt-minion.1 +++ b/doc/man/salt-minion.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MINION" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-MINION" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-minion \- salt-minion Documentation . diff --git a/doc/man/salt-proxy.1 b/doc/man/salt-proxy.1 index 6ac915a9eea0..b0eae2b6dab5 100644 --- a/doc/man/salt-proxy.1 +++ b/doc/man/salt-proxy.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-PROXY" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-PROXY" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-proxy \- salt-proxy Documentation . diff --git a/doc/man/salt-run.1 b/doc/man/salt-run.1 index 9825c77ed7e5..10ddfdcab7c9 100644 --- a/doc/man/salt-run.1 +++ b/doc/man/salt-run.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-RUN" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-RUN" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-run \- salt-run Documentation . diff --git a/doc/man/salt-ssh.1 b/doc/man/salt-ssh.1 index 98764eb7e98c..b8703dced3aa 100644 --- a/doc/man/salt-ssh.1 +++ b/doc/man/salt-ssh.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SSH" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-SSH" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-ssh \- salt-ssh Documentation . diff --git a/doc/man/salt-syndic.1 b/doc/man/salt-syndic.1 index 2e785f4a0adb..7aa695bf354b 100644 --- a/doc/man/salt-syndic.1 +++ b/doc/man/salt-syndic.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SYNDIC" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-SYNDIC" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-syndic \- salt-syndic Documentation . diff --git a/doc/man/salt-unity.1 b/doc/man/salt-unity.1 index 2f576e121a2a..a289f8673a13 100644 --- a/doc/man/salt-unity.1 +++ b/doc/man/salt-unity.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-UNITY" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT-UNITY" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt-unity \- salt-unity Command . diff --git a/doc/man/salt.1 b/doc/man/salt.1 index c389f9256041..156fcce7d877 100644 --- a/doc/man/salt.1 +++ b/doc/man/salt.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt \- salt . diff --git a/doc/man/salt.7 b/doc/man/salt.7 index 477ab06b356b..2a9b9314e3b5 100644 --- a/doc/man/salt.7 +++ b/doc/man/salt.7 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "7" "Aug 20, 2021" "3002.7" "Salt" +.TH "SALT" "7" "Feb 25, 2022" "3002.8" "Salt" .SH NAME salt \- Salt Documentation . @@ -106117,17 +106117,17 @@ Example of usage .B class salt.engines.ircbot.Event(source, code, line) .INDENT 7.0 .TP -.B property code +.B code Alias for field number 1 .UNINDENT .INDENT 7.0 .TP -.B property line +.B line Alias for field number 2 .UNINDENT .INDENT 7.0 .TP -.B property source +.B source Alias for field number 0 .UNINDENT .UNINDENT @@ -106160,42 +106160,42 @@ Alias for field number 0 .B class salt.engines.ircbot.PrivEvent(source, nick, user, host, code, channel, command, line) .INDENT 7.0 .TP -.B property channel +.B channel Alias for field number 5 .UNINDENT .INDENT 7.0 .TP -.B property code +.B code Alias for field number 4 .UNINDENT .INDENT 7.0 .TP -.B property command +.B command Alias for field number 6 .UNINDENT .INDENT 7.0 .TP -.B property host +.B host Alias for field number 3 .UNINDENT .INDENT 7.0 .TP -.B property line +.B line Alias for field number 7 .UNINDENT .INDENT 7.0 .TP -.B property nick +.B nick Alias for field number 1 .UNINDENT .INDENT 7.0 .TP -.B property source +.B source Alias for field number 0 .UNINDENT .INDENT 7.0 .TP -.B property user +.B user Alias for field number 2 .UNINDENT .UNINDENT @@ -118863,7 +118863,7 @@ known to resolve the issue. .UNINDENT .INDENT 0.0 .TP -.B salt.modules.augeas_cfg.execute(context=None, lens=None, commands=, load_path=None) +.B salt.modules.augeas_cfg.execute(context=None, lens=None, commands=(), load_path=None) Execute Augeas commands .sp New in version 2014.7.0. @@ -150093,7 +150093,7 @@ salt \(aq*\(aq cmd.has_exec cat .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.powershell(cmd, cwd=None, stdin=None, runas=None, shell=\(aq/usr/bin/zsh\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, depth=None, encode_cmd=False, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.powershell(cmd, cwd=None, stdin=None, runas=None, shell=\(aq/bin/bash\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, depth=None, encode_cmd=False, success_retcodes=None, **kwargs) Execute the passed PowerShell command and return the output as a dictionary. .sp Other \fBcmd.*\fP functions (besides \fBcmd.powershell_all\fP) @@ -150345,7 +150345,7 @@ salt \(aq*\(aq cmd.powershell "$PSVersionTable.CLRVersion" .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.powershell_all(cmd, cwd=None, stdin=None, runas=None, shell=\(aq/usr/bin/zsh\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, quiet=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, depth=None, encode_cmd=False, force_list=False, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.powershell_all(cmd, cwd=None, stdin=None, runas=None, shell=\(aq/bin/bash\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, quiet=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, depth=None, encode_cmd=False, force_list=False, success_retcodes=None, **kwargs) Execute the passed PowerShell command and return a dictionary with a result field representing the output of the command, as well as other fields showing us what the PowerShell invocation wrote to \fBstderr\fP, the process @@ -150675,7 +150675,7 @@ salt \(aq*\(aq cmd.powershell_all "dir mydirectory" force_list=True .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.retcode(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.retcode(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, success_retcodes=None, **kwargs) Execute a shell command and return the command\(aqs return code. .INDENT 7.0 .TP @@ -150901,7 +150901,7 @@ salt \(aq*\(aq cmd.retcode "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, encoded_cmd=False, raise_err=False, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, encoded_cmd=False, raise_err=False, prepend_path=None, success_retcodes=None, **kwargs) Execute the passed command and return the output as a string .INDENT 7.0 .TP @@ -151218,7 +151218,7 @@ salt \(aq*\(aq cmd.run cmd=\(aqsed \-e s/=/:/g\(aq .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_all(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, redirect_stderr=False, password=None, encoded_cmd=False, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run_all(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, redirect_stderr=False, password=None, encoded_cmd=False, prepend_path=None, success_retcodes=None, **kwargs) Execute the passed command and return a dict of return data .INDENT 7.0 .TP @@ -151503,7 +151503,7 @@ salt \(aq*\(aq cmd.run_all "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_bg(cmd, cwd=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, timeout=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, password=None, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run_bg(cmd, cwd=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, umask=None, timeout=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, password=None, prepend_path=None, success_retcodes=None, **kwargs) Execute the passed command in the background and return its PID .sp \fBNOTE:\fP @@ -151768,7 +151768,7 @@ salt \(aq*\(aq cmd.run_bg cmd=\(aqls \-lR / | sed \-e s/=/:/g > /tmp/dontwait\(a .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_chroot(root, cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=True, binds=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqquiet\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run_chroot(root, cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=True, binds=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqquiet\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, success_retcodes=None, **kwargs) New in version 2014.7.0. .sp @@ -151958,7 +151958,7 @@ salt \(aq*\(aq cmd.run_chroot /var/lib/lxc/container_name/rootfs \(aqsh /tmp/boo .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_stderr(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run_stderr(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) Execute a command and only return the standard error .INDENT 7.0 .TP @@ -152202,7 +152202,7 @@ salt \(aq*\(aq cmd.run_stderr "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.run_stdout(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.run_stdout(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) Execute a command, and only return the standard out .INDENT 7.0 .TP @@ -152446,7 +152446,7 @@ salt \(aq*\(aq cmd.run_stdout "grep f" stdin=\(aqone\entwo\enthree\enfour\enfive .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.script(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.script(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, template=None, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, success_retcodes=None, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. @@ -152690,7 +152690,7 @@ salt \(aq*\(aq cmd.script salt://scripts/runme.sh stdin=\(aqone\entwo\enthree\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.script_retcode(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, python_shell=None, env=None, template=\(aqjinja\(aq, umask=None, timeout=None, reset_system_locale=True, saltenv=\(aqbase\(aq, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, use_vt=False, password=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.script_retcode(source, args=None, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, python_shell=None, env=None, template=\(aqjinja\(aq, umask=None, timeout=None, reset_system_locale=True, saltenv=\(aqbase\(aq, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, use_vt=False, password=None, success_retcodes=None, **kwargs) Download a script from a remote location and execute the script locally. The script can be located on the salt master file server or on an HTTP/FTP server. @@ -152882,7 +152882,7 @@ salt \(aq*\(aq cmd.script_retcode salt://scripts/runme.sh stdin=\(aqone\entwo\en .UNINDENT .INDENT 0.0 .TP -.B salt.modules.cmdmod.shell(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/usr/bin/zsh\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) +.B salt.modules.cmdmod.shell(cmd, cwd=None, stdin=None, runas=None, group=None, shell=\(aq/bin/bash\(aq, env=None, clean_env=False, template=None, rstrip=True, umask=None, output_encoding=None, output_loglevel=\(aqdebug\(aq, log_callback=None, hide_output=False, timeout=None, reset_system_locale=True, ignore_retcode=False, saltenv=\(aqbase\(aq, use_vt=False, bg=False, password=None, prepend_path=None, success_retcodes=None, **kwargs) Execute the passed command and return the output as a string. .sp New in version 2015.5.0. @@ -170994,12 +170994,12 @@ group, mode, and data .B class salt.modules.file.AttrChanges(added, removed) .INDENT 7.0 .TP -.B property added +.B added Alias for field number 0 .UNINDENT .INDENT 7.0 .TP -.B property removed +.B removed Alias for field number 1 .UNINDENT .UNINDENT @@ -191337,7 +191337,7 @@ Passes through all the parameters described in the \fI\%utils.http.query function\fP: .INDENT 7.0 .TP -.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3002.7\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) +.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3002.8\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) Query a resource, and decode the return data .UNINDENT .INDENT 7.0 @@ -196013,7 +196013,7 @@ salt\-call ipmi.get_users api_host=172.168.0.7 .UNINDENT .INDENT 0.0 .TP -.B salt.modules.ipmi.raw_command(netfn, command, bridge_request=None, data=, retry=True, delay_xmit=None, **kwargs) +.B salt.modules.ipmi.raw_command(netfn, command, bridge_request=None, data=(), retry=True, delay_xmit=None, **kwargs) Send raw ipmi command .sp This allows arbitrary IPMI bytes to be issued. This is commonly used @@ -274067,7 +274067,7 @@ salt \(aq*\(aq saltutil.clear_job_cache hours=12 .UNINDENT .INDENT 0.0 .TP -.B salt.modules.saltutil.cmd(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, ssh=False, **kwargs) +.B salt.modules.saltutil.cmd(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, ssh=False, **kwargs) Changed in version 2017.7.0: The \fBexpr_form\fP argument has been renamed to \fBtgt_type\fP, earlier releases must use \fBexpr_form\fP\&. @@ -274088,7 +274088,7 @@ salt \(aq*\(aq saltutil.cmd .UNINDENT .INDENT 0.0 .TP -.B salt.modules.saltutil.cmd_iter(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, ssh=False, **kwargs) +.B salt.modules.saltutil.cmd_iter(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, ssh=False, **kwargs) Changed in version 2017.7.0: The \fBexpr_form\fP argument has been renamed to \fBtgt_type\fP, earlier releases must use \fBexpr_form\fP\&. @@ -326256,22 +326256,22 @@ wp binary from \fI\%http://wp\-cli.org/\fP .B class salt.modules.wordpress.Plugin(name, status, update, versino) .INDENT 7.0 .TP -.B property name +.B name Alias for field number 0 .UNINDENT .INDENT 7.0 .TP -.B property status +.B status Alias for field number 1 .UNINDENT .INDENT 7.0 .TP -.B property update +.B update Alias for field number 2 .UNINDENT .INDENT 7.0 .TP -.B property versino +.B versino Alias for field number 3 .UNINDENT .UNINDENT @@ -328643,8 +328643,8 @@ Alternate constructor that accept multiple recipients and rooms .B filter(record) Determine if the specified record is to be logged. .sp -Is the specified record to be logged? Returns 0 for no, nonzero for -yes. If deemed appropriate, the record may be modified in\-place. +Returns True if the record should be logged, or False otherwise. +If deemed appropriate, the record may be modified in\-place. .UNINDENT .UNINDENT .INDENT 0.0 @@ -328956,7 +328956,7 @@ salt \(aq*\(aq pkg.group_info \(aqPerl Support\(aq .UNINDENT .INDENT 0.0 .TP -.B salt.modules.yumpkg.group_install(name, skip=, include=, **kwargs) +.B salt.modules.yumpkg.group_install(name, skip=(), include=(), **kwargs) New in version 2014.1.0. .sp @@ -343862,7 +343862,7 @@ cobbler.password: password # default is no password .SS Module Documentation .INDENT 0.0 .TP -.B salt.pillar.cobbler.ext_pillar(minion_id, pillar, key=None, only=) +.B salt.pillar.cobbler.ext_pillar(minion_id, pillar, key=None, only=()) Read pillar data from Cobbler via its API. .UNINDENT .SS salt.pillar.confidant @@ -345080,7 +345080,7 @@ Further information can be found on \fI\%GitHub\fP\&. .SS Module Documentation .INDENT 0.0 .TP -.B salt.pillar.foreman.ext_pillar(minion_id, pillar, key=None, only=) +.B salt.pillar.foreman.ext_pillar(minion_id, pillar, key=None, only=()) Read pillar data from Foreman via its API. .UNINDENT .SS salt.pillar.git_pillar @@ -360742,7 +360742,7 @@ salt\-run salt.cmd mymod.myfunc with_pillar=True .UNINDENT .INDENT 0.0 .TP -.B salt.runners.salt.execute(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, kwarg=None, **kwargs) +.B salt.runners.salt.execute(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, kwarg=None, **kwargs) New in version 2017.7.0. .sp @@ -362081,7 +362081,7 @@ A Runner module interface on top of the salt\-ssh Python API. This allows for programmatic use from salt\-api, the Reactor, Orchestrate, etc. .INDENT 0.0 .TP -.B salt.runners.ssh.cmd(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, kwarg=None) +.B salt.runners.ssh.cmd(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, kwarg=None) New in version 2015.5.0. .sp @@ -384379,7 +384379,7 @@ printenv: .UNINDENT .INDENT 0.0 .TP -.B salt.states.cmd.call(name, func, args=, kws=None, output_loglevel=\(aqdebug\(aq, hide_output=False, use_vt=False, **kwargs) +.B salt.states.cmd.call(name, func, args=(), kws=None, output_loglevel=\(aqdebug\(aq, hide_output=False, use_vt=False, **kwargs) Invoke a pre\-defined Python function with arguments specified in the state declaration. This function is mainly used by the \fBsalt.renderers.pydsl\fP renderer. @@ -384843,7 +384843,7 @@ New in version 2019.2.0. .UNINDENT .INDENT 0.0 .TP -.B salt.states.cmd.wait(name, cwd=None, root=None, runas=None, shell=None, env=, stateful=False, umask=None, output_loglevel=\(aqdebug\(aq, hide_output=False, use_vt=False, success_retcodes=None, **kwargs) +.B salt.states.cmd.wait(name, cwd=None, root=None, runas=None, shell=None, env=(), stateful=False, umask=None, output_loglevel=\(aqdebug\(aq, hide_output=False, use_vt=False, success_retcodes=None, **kwargs) Run the given command only if the watch statement calls it. .sp \fBNOTE:\fP @@ -384997,7 +384997,7 @@ New in version 2019.2.0. .UNINDENT .INDENT 0.0 .TP -.B salt.states.cmd.wait_call(name, func, args=, kws=None, stateful=False, use_vt=False, output_loglevel=\(aqdebug\(aq, hide_output=False, **kwargs) +.B salt.states.cmd.wait_call(name, func, args=(), kws=None, stateful=False, use_vt=False, output_loglevel=\(aqdebug\(aq, hide_output=False, **kwargs) .UNINDENT .INDENT 0.0 .TP @@ -423195,7 +423195,7 @@ User to run the command .UNINDENT .INDENT 0.0 .TP -.B salt.states.rabbitmq_user.present(name, password=None, force=False, tags=None, perms=, runas=None) +.B salt.states.rabbitmq_user.present(name, password=None, force=False, tags=None, perms=(), runas=None) Ensure the RabbitMQ user exists. .INDENT 7.0 .TP @@ -436871,7 +436871,7 @@ installed2 .UNINDENT .INDENT 0.0 .TP -.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=, buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/home/gareth/code/salt\-priv/.nox/docs\-man\-clean\-true\-compress\-false\-update\-true/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) +.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/mnt/c/Users/alyssar/Documents/Git\-Projects/salt\-priv/.nox/docs\-man\-compress\-false\-update\-true\-clean\-true/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) Install buildout in a specific directory .sp It is a thin wrapper to modules.buildout.buildout @@ -439241,7 +439241,7 @@ clean_keys: Run remote execution commands via the local client .INDENT 0.0 .TP -.B salt.thorium.local.cmd(name, tgt, func, arg=, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) +.B salt.thorium.local.cmd(name, tgt, func, arg=(), tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) Execute a remote execution command .sp USAGE: @@ -439387,7 +439387,7 @@ foo: React by calling asynchronous runners .INDENT 0.0 .TP -.B salt.thorium.runner.cmd(name, func=None, arg=, **kwargs) +.B salt.thorium.runner.cmd(name, func=None, arg=(), **kwargs) Execute a runner asynchronous: .sp USAGE: @@ -439458,7 +439458,7 @@ hold_on_a_moment: React by calling asynchronous runners .INDENT 0.0 .TP -.B salt.thorium.wheel.cmd(name, fun=None, arg=, **kwargs) +.B salt.thorium.wheel.cmd(name, fun=None, arg=(), **kwargs) Execute a runner asynchronous: .sp USAGE: @@ -441234,7 +441234,7 @@ local.cmd(\(aq*\(aq, \(aqtest.fib\(aq, [10]) .UNINDENT .INDENT 7.0 .TP -.B cmd(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, full_return=False, kwarg=None, **kwargs) +.B cmd(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, full_return=False, kwarg=None, **kwargs) Synchronously execute a command on targeted minions .sp The cmd method will execute and wait for the timeout period for all @@ -441384,7 +441384,7 @@ function name. .UNINDENT .INDENT 7.0 .TP -.B cmd_async(tgt, fun, arg=, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, kwarg=None, **kwargs) +.B cmd_async(tgt, fun, arg=(), tgt_type=\(aqglob\(aq, ret=\(aq\(aq, jid=\(aq\(aq, kwarg=None, **kwargs) Asynchronously send a command to connected minions .sp The function signature is the same as \fI\%cmd()\fP with the @@ -441408,7 +441408,7 @@ A job ID or 0 on failure. .UNINDENT .INDENT 7.0 .TP -.B cmd_batch(tgt, fun, arg=, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, batch=\(aq10%\(aq, **kwargs) +.B cmd_batch(tgt, fun, arg=(), tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, batch=\(aq10%\(aq, **kwargs) Iteratively execute a command on subsets of minions at a time .sp The function signature is the same as \fI\%cmd()\fP with the @@ -441439,7 +441439,7 @@ A generator of minion returns .UNINDENT .INDENT 7.0 .TP -.B cmd_iter(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) +.B cmd_iter(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) Yields the individual minion returns as they come in .sp The function signature is the same as \fI\%cmd()\fP with the @@ -441471,7 +441471,7 @@ A generator yielding the individual minion returns .UNINDENT .INDENT 7.0 .TP -.B cmd_iter_no_block(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, show_jid=False, verbose=False, **kwargs) +.B cmd_iter_no_block(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, show_jid=False, verbose=False, **kwargs) .INDENT 7.0 .TP .B Yields the individual minion returns as they come in, or None @@ -441507,7 +441507,7 @@ None .UNINDENT .INDENT 7.0 .TP -.B cmd_subset(tgt, fun, arg=, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, subset=3, cli=False, progress=False, full_return=False, **kwargs) +.B cmd_subset(tgt, fun, arg=(), tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, subset=3, cli=False, progress=False, full_return=False, **kwargs) Execute a command on a random subset of the targeted systems .sp The function signature is the same as \fI\%cmd()\fP with the @@ -441553,7 +441553,7 @@ is reached. .UNINDENT .INDENT 7.0 .TP -.B run_job(tgt, fun, arg=, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, timeout=None, jid=\(aq\(aq, kwarg=None, listen=False, **kwargs) +.B run_job(tgt, fun, arg=(), tgt_type=\(aqglob\(aq, ret=\(aq\(aq, timeout=None, jid=\(aq\(aq, kwarg=None, listen=False, **kwargs) Asynchronously send a command to connected minions .sp Prep the job directory and publish a command to any targeted minions. @@ -442066,7 +442066,7 @@ New in version 2015.5.0. .INDENT 7.0 .TP -.B cmd(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, kwarg=None, **kwargs) +.B cmd(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, kwarg=None, **kwargs) Execute a single command via the salt\-ssh subsystem and return all routines at once .sp @@ -442075,7 +442075,7 @@ New in version 2015.5.0. .UNINDENT .INDENT 7.0 .TP -.B cmd_iter(tgt, fun, arg=, timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) +.B cmd_iter(tgt, fun, arg=(), timeout=None, tgt_type=\(aqglob\(aq, ret=\(aq\(aq, kwarg=None, **kwargs) Execute a single command via the salt\-ssh subsystem and return a generator .sp @@ -455283,6 +455283,8 @@ Fix regression on "cmd.run" when passing tuples as cmd. (#59664) Allow all ssh kwargs as sanitized kwargs for SSH client. (#59748) .UNINDENT .SS Salt 3002.7 (2021\-08\-20) +.sp +Version 3002.7 is a CVE security fix release for 3002\&. .SS Fixed .INDENT 0.0 .IP \(bu 2 @@ -455292,11 +455294,24 @@ Verify the owner of an existing config before trusting it during install. If the .INDENT 0.0 .IP \(bu 2 Fix the CVE\-2021\-31607 vulnerability -.sp Additionally, an audit and a tool was put in place, \fBbandit\fP, to address similar issues througout the code base, and prevent them. (CVE\-2021\-31607) .IP \(bu 2 Ensure that sourced file is cached using its hash name (cve\-2021\-21996) .UNINDENT +.SS Salt 3002.8 (2022\-02\-25) +.sp +Version 3002.8 is a CVE security fix release for 3002\&. +.SS Security +.INDENT 0.0 +.IP \(bu 2 +Sign authentication replies to prevent MiTM (cve\-2020\-22935) +.IP \(bu 2 +Sign pillar data to prevent MiTM attacks. (cve\-2022\-22934) +.IP \(bu 2 +Prevent job and fileserver replays (cve\-2022\-22936) +.IP \(bu 2 +Fixed targeting bug, especially visible when using syndic and user auth. (CVE\-2022\-22941) (#60413) +.UNINDENT .SS Salt 3001 Release Notes \- Codename Sodium .SS Python 2 Dropped .sp @@ -455690,7 +455705,7 @@ the fix for CVE\-2020\-28243. .UNINDENT .SS Salt 3001.8 (2021\-08\-20) .sp -Version 3001.8 is a bug fix release for 3001\&. +Version 3001.8 is a CVE security fix release for 3001\&. .SS Fixed .INDENT 0.0 .IP \(bu 2 @@ -455700,7 +455715,6 @@ Verify the owner of an existing config before trusting it during install. If the .INDENT 0.0 .IP \(bu 2 Fix the CVE\-2021\-31607 vulnerability -.sp Additionally, an audit and a tool was put in place, \fBbandit\fP, to address similar issues througout the code base, and prevent them. (CVE\-2021\-31607) .IP \(bu 2 Ensure that sourced file is cached using its hash name (cve\-2021\-21996) diff --git a/doc/man/spm.1 b/doc/man/spm.1 index 67cc92a94443..60353a022e59 100644 --- a/doc/man/spm.1 +++ b/doc/man/spm.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SPM" "1" "Aug 20, 2021" "3002.7" "Salt" +.TH "SPM" "1" "Feb 25, 2022" "3002.8" "Salt" .SH NAME spm \- Salt Package Manager Command . diff --git a/doc/ref/beacons/all/salt.beacons.aix_account.rst b/doc/ref/beacons/all/salt.beacons.aix_account.rst index f7467322ac5c..b9b273217e50 100644 --- a/doc/ref/beacons/all/salt.beacons.aix_account.rst +++ b/doc/ref/beacons/all/salt.beacons.aix_account.rst @@ -1,5 +1,5 @@ -salt.beacons.aix_account module -=============================== +salt.beacons.aix_account +======================== .. automodule:: salt.beacons.aix_account :members: diff --git a/doc/topics/releases/3002.8.rst b/doc/topics/releases/3002.8.rst new file mode 100644 index 000000000000..eddef98ff200 --- /dev/null +++ b/doc/topics/releases/3002.8.rst @@ -0,0 +1,34 @@ +.. _release-3002-8: + +======================== +Salt 3002.8 (2022-02-25) +======================== + +Version 3002.8 is a CVE security fix release for :ref:`3002 `. + + +Important notice about upgrading +-------------------------------- + +Version 3002.8 is a security release. 3002.8 minions are not able to +communicate with masters older than 3002.8. You must upgrade your masters +before upgrading minions. + + +Minion authentication security +------------------------------ + +Authentication between masters and minions rely on public/private key +encryption and message signing. To secure minion authentication before you must +pre-seed the master's public key on minions. To pre-seed the minions' master +key, place a copy of the master's public key in the minion's pki directory as +``minion_master.pub``. + + +Security +-------- + +- Sign authentication replies to prevent MiTM (cve-2020-22935) +- Sign pillar data to prevent MiTM attacks. (cve-2022-22934) +- Prevent job and fileserver replays (cve-2022-22936) +- Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)