From 038310d4836929557af243ed7a137f40e70bf165 Mon Sep 17 00:00:00 2001 From: Alyssa Rock Date: Wed, 25 May 2022 14:22:24 -0600 Subject: [PATCH 1/2] Add 3002.9 changelog, release notes, man pages --- CHANGELOG.md | 17 +++++++++++++++++ changelog/59161.fixed | 1 - changelog/61865.fixed | 1 - changelog/61868.fixed | 1 - changelog/cve-2022-22967.security | 1 - doc/man/salt-api.1 | 2 +- doc/man/salt-call.1 | 2 +- doc/man/salt-cloud.1 | 2 +- doc/man/salt-cp.1 | 2 +- doc/man/salt-key.1 | 2 +- doc/man/salt-master.1 | 2 +- doc/man/salt-minion.1 | 2 +- doc/man/salt-proxy.1 | 2 +- doc/man/salt-run.1 | 2 +- doc/man/salt-ssh.1 | 2 +- doc/man/salt-syndic.1 | 2 +- doc/man/salt-unity.1 | 2 +- doc/man/salt.1 | 2 +- doc/man/salt.7 | 22 +++++++++++++++++----- doc/man/spm.1 | 2 +- doc/topics/releases/3002.9.rst | 20 ++++++++++++++++++++ 21 files changed, 68 insertions(+), 23 deletions(-) delete mode 100644 changelog/59161.fixed delete mode 100644 changelog/61865.fixed delete mode 100644 changelog/61868.fixed delete mode 100644 changelog/cve-2022-22967.security create mode 100644 doc/topics/releases/3002.9.rst diff --git a/CHANGELOG.md b/CHANGELOG.md index 51972aaf5168..4a2b523bcc76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,23 @@ Versions are `MAJOR.PATCH`. # Changelog +Salt 3002.9 (2022-05-25) +======================== + +Fixed +----- + +- Fixed an error when running on CentOS Stream 8. (#59161) +- Fix bug in tcp transport (#61865) +- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868) + + +Security +-------- + +- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967) + + Salt 3002.8 (2022-02-25) ======================== diff --git a/changelog/59161.fixed b/changelog/59161.fixed deleted file mode 100644 index cbe185253417..000000000000 --- a/changelog/59161.fixed +++ /dev/null @@ -1 +0,0 @@ -Fixed an error when running on CentOS Stream 8. diff --git a/changelog/61865.fixed b/changelog/61865.fixed deleted file mode 100644 index 2e994bcda487..000000000000 --- a/changelog/61865.fixed +++ /dev/null @@ -1 +0,0 @@ -Fix bug in tcp transport diff --git a/changelog/61868.fixed b/changelog/61868.fixed deleted file mode 100644 index 0169c48e99d2..000000000000 --- a/changelog/61868.fixed +++ /dev/null @@ -1 +0,0 @@ -Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. diff --git a/changelog/cve-2022-22967.security b/changelog/cve-2022-22967.security deleted file mode 100644 index 52943680f448..000000000000 --- a/changelog/cve-2022-22967.security +++ /dev/null @@ -1 +0,0 @@ -Fixed PAM auth to reject auth attempt if user account is locked. diff --git a/doc/man/salt-api.1 b/doc/man/salt-api.1 index 8fe31b96dc3c..2e7d14cc4c07 100644 --- a/doc/man/salt-api.1 +++ b/doc/man/salt-api.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-API" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-API" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-api \- salt-api Command . diff --git a/doc/man/salt-call.1 b/doc/man/salt-call.1 index 2b807f56d859..20070067e17a 100644 --- a/doc/man/salt-call.1 +++ b/doc/man/salt-call.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CALL" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-CALL" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-call \- salt-call Documentation . diff --git a/doc/man/salt-cloud.1 b/doc/man/salt-cloud.1 index a18ab174cfdf..a7389a543d34 100644 --- a/doc/man/salt-cloud.1 +++ b/doc/man/salt-cloud.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CLOUD" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-CLOUD" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-cloud \- Salt Cloud Command . diff --git a/doc/man/salt-cp.1 b/doc/man/salt-cp.1 index 20edab0ea122..96c5c0bc56dd 100644 --- a/doc/man/salt-cp.1 +++ b/doc/man/salt-cp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-CP" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-CP" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-cp \- salt-cp Documentation . diff --git a/doc/man/salt-key.1 b/doc/man/salt-key.1 index 956b9df39dd3..6306d16cd097 100644 --- a/doc/man/salt-key.1 +++ b/doc/man/salt-key.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-KEY" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-KEY" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-key \- salt-key Documentation . diff --git a/doc/man/salt-master.1 b/doc/man/salt-master.1 index 73c50bf12857..cca50ab1611a 100644 --- a/doc/man/salt-master.1 +++ b/doc/man/salt-master.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MASTER" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-MASTER" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-master \- salt-master Documentation . diff --git a/doc/man/salt-minion.1 b/doc/man/salt-minion.1 index d9bee0c9f746..7753c2ab411f 100644 --- a/doc/man/salt-minion.1 +++ b/doc/man/salt-minion.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-MINION" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-MINION" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-minion \- salt-minion Documentation . diff --git a/doc/man/salt-proxy.1 b/doc/man/salt-proxy.1 index b0eae2b6dab5..6361f599597f 100644 --- a/doc/man/salt-proxy.1 +++ b/doc/man/salt-proxy.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-PROXY" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-PROXY" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-proxy \- salt-proxy Documentation . diff --git a/doc/man/salt-run.1 b/doc/man/salt-run.1 index 10ddfdcab7c9..7fe8e6c53cb7 100644 --- a/doc/man/salt-run.1 +++ b/doc/man/salt-run.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-RUN" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-RUN" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-run \- salt-run Documentation . diff --git a/doc/man/salt-ssh.1 b/doc/man/salt-ssh.1 index b8703dced3aa..f62002dcdd51 100644 --- a/doc/man/salt-ssh.1 +++ b/doc/man/salt-ssh.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SSH" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-SSH" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-ssh \- salt-ssh Documentation . diff --git a/doc/man/salt-syndic.1 b/doc/man/salt-syndic.1 index 7aa695bf354b..714beab6f989 100644 --- a/doc/man/salt-syndic.1 +++ b/doc/man/salt-syndic.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-SYNDIC" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-SYNDIC" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-syndic \- salt-syndic Documentation . diff --git a/doc/man/salt-unity.1 b/doc/man/salt-unity.1 index a289f8673a13..96992058feac 100644 --- a/doc/man/salt-unity.1 +++ b/doc/man/salt-unity.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT-UNITY" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT-UNITY" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt-unity \- salt-unity Command . diff --git a/doc/man/salt.1 b/doc/man/salt.1 index 156fcce7d877..5878267dbf00 100644 --- a/doc/man/salt.1 +++ b/doc/man/salt.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME salt \- salt . diff --git a/doc/man/salt.7 b/doc/man/salt.7 index 2a9b9314e3b5..8aeb844e196a 100644 --- a/doc/man/salt.7 +++ b/doc/man/salt.7 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SALT" "7" "Feb 25, 2022" "3002.8" "Salt" +.TH "SALT" "7" "May 25, 2022" "3002.9" "Salt" .SH NAME salt \- Salt Documentation . @@ -88125,7 +88125,7 @@ beacons: .B salt.beacons.adb.validate(config) Validate the beacon configuration .UNINDENT -.SS salt.beacons.aix_account module +.SS salt.beacons.aix_account .sp Beacon to fire event when we notice a AIX user is locked due to many failed login attempts. .sp @@ -191337,7 +191337,7 @@ Passes through all the parameters described in the \fI\%utils.http.query function\fP: .INDENT 7.0 .TP -.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3002.8\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) +.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3002.9\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) Query a resource, and decode the return data .UNINDENT .INDENT 7.0 @@ -328643,8 +328643,8 @@ Alternate constructor that accept multiple recipients and rooms .B filter(record) Determine if the specified record is to be logged. .sp -Returns True if the record should be logged, or False otherwise. -If deemed appropriate, the record may be modified in\-place. +Is the specified record to be logged? Returns 0 for no, nonzero for +yes. If deemed appropriate, the record may be modified in\-place. .UNINDENT .UNINDENT .INDENT 0.0 @@ -455301,6 +455301,18 @@ Ensure that sourced file is cached using its hash name (cve\-2021\-21996) .SS Salt 3002.8 (2022\-02\-25) .sp Version 3002.8 is a CVE security fix release for 3002\&. +.SS Important notice about upgrading +.sp +Version 3002.8 is a security release. 3002.8 minions are not able to +communicate with masters older than 3002.8. You must upgrade your masters +before upgrading minions. +.SS Minion authentication security +.sp +Authentication between masters and minions rely on public/private key +encryption and message signing. To secure minion authentication before you must +pre\-seed the master\(aqs public key on minions. To pre\-seed the minions\(aq master +key, place a copy of the master\(aqs public key in the minion\(aqs pki directory as +\fBminion_master.pub\fP\&. .SS Security .INDENT 0.0 .IP \(bu 2 diff --git a/doc/man/spm.1 b/doc/man/spm.1 index 60353a022e59..4d2e7118d5ed 100644 --- a/doc/man/spm.1 +++ b/doc/man/spm.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SPM" "1" "Feb 25, 2022" "3002.8" "Salt" +.TH "SPM" "1" "May 25, 2022" "3002.9" "Salt" .SH NAME spm \- Salt Package Manager Command . diff --git a/doc/topics/releases/3002.9.rst b/doc/topics/releases/3002.9.rst new file mode 100644 index 000000000000..5f89f3ea5946 --- /dev/null +++ b/doc/topics/releases/3002.9.rst @@ -0,0 +1,20 @@ +.. _release-3002-8: + +======================== +Salt 3002.9 (2022-05-25) +======================== + +Version 3002.9 is a CVE security fix release for :ref:`3002 `. + +Fixed +----- + +- Fixed an error when running on CentOS Stream 8. (#59161) +- Fix bug in tcp transport (#61865) +- Make sure the correct key is being used when verifying or validating communication, eg. when a Salt syndic is involved use syndic_master.pub and when a Salt minion is involved use minion_master.pub. (#61868) + + +Security +-------- + +- Fixed PAM auth to reject auth attempt if user account is locked. (cve-2022-22967) From 2634bb9bf4ecb7b0693beaae8b86b7fa7cdceb1f Mon Sep 17 00:00:00 2001 From: Alyssa Rock <43180546+barbaricyawps@users.noreply.github.com> Date: Wed, 25 May 2022 14:26:55 -0600 Subject: [PATCH 2/2] Update doc/topics/releases/3002.9.rst Co-authored-by: Megan Wilhite --- doc/topics/releases/3002.9.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/topics/releases/3002.9.rst b/doc/topics/releases/3002.9.rst index 5f89f3ea5946..2de692db4a35 100644 --- a/doc/topics/releases/3002.9.rst +++ b/doc/topics/releases/3002.9.rst @@ -1,4 +1,5 @@ -.. _release-3002-8: +.. _release-3002-9: + ======================== Salt 3002.9 (2022-05-25)