From 4517ed38529caa5e3fea9ffd7d55a8fd2e6cb176 Mon Sep 17 00:00:00 2001 From: "Daniel A. Wozniak" Date: Tue, 5 May 2020 18:10:01 +0000 Subject: [PATCH 1/5] Address issues in cve release - Fix #57016 - Fix #57027 - Add tests for exposed methods on AESFuncs and ClearFuncs - Add response validation for patched ClearFuncs.wheel - Add release notes template for 2019.2.5 --- doc/topics/releases/2019.2.5.rst | 5 + salt/master.py | 6 +- salt/wheel/config.py | 1 + tests/integration/master/test_clear_funcs.py | 1 + tests/unit/test_master.py | 109 +++++++++++++++++++ 5 files changed, 119 insertions(+), 3 deletions(-) create mode 100644 doc/topics/releases/2019.2.5.rst diff --git a/doc/topics/releases/2019.2.5.rst b/doc/topics/releases/2019.2.5.rst new file mode 100644 index 000000000000..b7ce08e554a8 --- /dev/null +++ b/doc/topics/releases/2019.2.5.rst @@ -0,0 +1,5 @@ +=========================== +Salt 2019.2.5 Release Notes +=========================== + +Version 2019.2.5 is a bug-fix release for :ref:`2019.2.0 `. diff --git a/salt/master.py b/salt/master.py index 33a9446f029d..63b4e04aca93 100644 --- a/salt/master.py +++ b/salt/master.py @@ -1177,9 +1177,9 @@ class AESFuncs(TransportMethods): 'verify_minion', '_master_tops', '_ext_nodes', '_master_opts', '_mine_get', '_mine', '_mine_delete', '_mine_flush', '_file_recv', '_pillar', '_minion_event', '_handle_minion_event', '_return', - '_syndic_return', '_minion_runner', 'pub_ret', 'minion_pub', - 'minion_publish', 'revoke_auth', 'run_func', '_serve_file', - '_file_find', '_file_hash', '_file_find_and_stat', '_file_list', + '_syndic_return', 'minion_runner', 'pub_ret', 'minion_pub', + 'minion_publish', 'revoke_auth', '_serve_file', '_file_find', + '_file_hash', '_file_hash_and_stat', '_file_list', '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs', ) diff --git a/salt/wheel/config.py b/salt/wheel/config.py index 3984444f8f1f..c965b585e2c7 100644 --- a/salt/wheel/config.py +++ b/salt/wheel/config.py @@ -12,6 +12,7 @@ import salt.config import salt.utils.files import salt.utils.yaml +import salt.utils.verify # Import 3rd-party libs from salt.ext import six diff --git a/tests/integration/master/test_clear_funcs.py b/tests/integration/master/test_clear_funcs.py index 4abb257dd96f..bdd8552ecb8f 100644 --- a/tests/integration/master/test_clear_funcs.py +++ b/tests/integration/master/test_clear_funcs.py @@ -176,6 +176,7 @@ def test_clearfuncs_config(self): ret = clear_channel.send(msg, timeout=5) assert not os.path.exists(os.path.join(self.conf_dir, 'evil.conf')), \ 'Wrote file via directory traversal' + assert ret['data']['return'] == 'Invalid path' class ClearFuncsFileRoots(TestCase): diff --git a/tests/unit/test_master.py b/tests/unit/test_master.py index c730f61594da..b0aaf822c381 100644 --- a/tests/unit/test_master.py +++ b/tests/unit/test_master.py @@ -32,6 +32,115 @@ def bang(self): assert foo.get_method('bar') is not None assert foo.get_method('bang') is None + def test_aes_funcs_white(self): + ''' + Validate methods exposed on AESFuncs exist and are callable + ''' + opts = salt.config.master_config(None) + aes_funcs = salt.master.AESFuncs(opts) + for name in aes_funcs.expose_methods: + func = getattr(aes_funcs, name, None) + assert callable(func) + + def test_aes_funcs_black(self): + ''' + Validate methods on AESFuncs that should not be called remotely + ''' + opts = salt.config.master_config(None) + aes_funcs = salt.master.AESFuncs(opts) + # Any callable that should not explicitly be allowed should be added + # here. + blacklist_methods = [ + '_AESFuncs__setup_fileserver', + '_AESFuncs__verify_load', + '_AESFuncs__verify_minion', + '_AESFuncs__verify_minion_publish', + '__class__', + '__delattr__', + '__dir__', + '__eq__', + '__format__', + '__ge__', + '__getattribute__', + '__gt__', + '__hash__', + '__init__', + '__init_subclass__', + '__le__', + '__lt__', + '__ne__', + '__new__', + '__reduce__', + '__reduce_ex__', + '__repr__', + '__setattr__', + '__sizeof__', + '__str__', + '__subclasshook__', + 'get_method', + 'run_func', + + ] + for name in dir(aes_funcs): + if name in aes_funcs.expose_methods: + continue + if not callable(getattr(aes_funcs, name)): + continue + assert name in blacklist_methods, name + + def test_clear_funcs_white(self): + ''' + Validate methods exposed on ClearFuncs exist and are callable + ''' + opts = salt.config.master_config(None) + clear_funcs = salt.master.ClearFuncs(opts, {}) + for name in clear_funcs.expose_methods: + func = getattr(clear_funcs, name, None) + assert callable(func) + + def test_clear_funcs_black(self): + ''' + Validate methods on ClearFuncs that should not be called remotely + ''' + opts = salt.config.master_config(None) + clear_funcs = salt.master.ClearFuncs(opts, {}) + blacklist_methods = [ + '__class__', + '__delattr__', + '__dir__', + '__eq__', + '__format__', + '__ge__', + '__getattribute__', + '__gt__', + '__hash__', + '__init__', + '__init_subclass__', + '__le__', + '__lt__', + '__ne__', + '__new__', + '__reduce__', + '__reduce_ex__', + '__repr__', + '__setattr__', + '__sizeof__', + '__str__', + '__subclasshook__', + '_prep_auth_info', + '_prep_jid', + '_prep_pub', + '_send_pub', + '_send_ssh_pub', + 'get_method', + ] + for name in dir(clear_funcs): + if name in clear_funcs.expose_methods: + continue + if not callable(getattr(clear_funcs, name)): + continue + assert name in blacklist_methods, name + class ClearFuncsTestCase(TestCase): ''' From 62236bdede4511dba6894a3867399bfdaf2ac80a Mon Sep 17 00:00:00 2001 From: Mike Place Date: Mon, 4 May 2020 18:30:21 +0200 Subject: [PATCH 2/5] Add link to salt-announce to documentation --- doc/topics/index.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/topics/index.rst b/doc/topics/index.rst index 8ffba2c26b1a..7370f59b935c 100644 --- a/doc/topics/index.rst +++ b/doc/topics/index.rst @@ -110,6 +110,12 @@ is hosted by Google Groups. It is open to new members. .. _`salt-users mailing list`: https://groups.google.com/forum/#!forum/salt-users +Additionally, all users of Salt should be subscribed to the Announcements mailing +list which contains important updates about Salt, such as new releaes and +security-related announcements. This list is low-traffic. + +.. _`salt-announce mailing list`: https://groups.google.com/forum/#!forum/salt-announce + IRC === From 703f4088b4f234857de548c9837c0cf7edaccfab Mon Sep 17 00:00:00 2001 From: Mike Place Date: Mon, 4 May 2020 18:35:56 +0200 Subject: [PATCH 3/5] Update hardening doc to mention 4505/4506 --- doc/topics/hardening.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/topics/hardening.rst b/doc/topics/hardening.rst index e62ec97b3a31..f59fd269be19 100644 --- a/doc/topics/hardening.rst +++ b/doc/topics/hardening.rst @@ -36,7 +36,8 @@ General hardening tips - Don't expose the Salt master any more than what is required. - Harden the system as you would with any high-priority target. - Keep the system patched and up-to-date. -- Use tight firewall rules. +- Use tight firewall rules. Pay particular attention to TCP/4505 and TCP/4506 + on the salt master and avoid exposing these ports unnecessarily. Salt hardening tips =================== From 69594ad60d43cf56d77b8bf168b42c7da0e2520f Mon Sep 17 00:00:00 2001 From: Mike Place Date: Tue, 5 May 2020 13:18:03 +0200 Subject: [PATCH 4/5] Describe SEPs --- doc/topics/index.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/topics/index.rst b/doc/topics/index.rst index 7370f59b935c..f07775e73cbc 100644 --- a/doc/topics/index.rst +++ b/doc/topics/index.rst @@ -141,6 +141,11 @@ is happening in Salt development: |saltrepo| +Long-term planning and strategic decisions are handled via Salt Enhancement Proposals +and can be found on GitHub. + +.. _`Salt Enhancement Proposals`: https://github.com/saltstack/salt-enhancement-proposals + Blogs ===== From 721e4a72ce7e99daa3623f7d20670ae576a4a479 Mon Sep 17 00:00:00 2001 From: Frode Gundersen Date: Tue, 5 May 2020 22:47:56 +0000 Subject: [PATCH 5/5] Update 2019.2.5 release notes --- doc/topics/releases/2019.2.5.rst | 47 ++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/doc/topics/releases/2019.2.5.rst b/doc/topics/releases/2019.2.5.rst index b7ce08e554a8..6b197e0a12e1 100644 --- a/doc/topics/releases/2019.2.5.rst +++ b/doc/topics/releases/2019.2.5.rst @@ -3,3 +3,50 @@ Salt 2019.2.5 Release Notes =========================== Version 2019.2.5 is a bug-fix release for :ref:`2019.2.0 `. + +Statistics +========== + +- Total Merges: **2** +- Total Issue References: **2** +- Total PR References: **2** + +- Contributors: **2** (`dwoz`_, `frogunder`_) + +Changelog for v2019.2.4..v2019.2.5 +================================== + +*Generated at: 2020-05-05 22:43:12 UTC* + +* **PR** `#57096`_: (`frogunder`_) Update man_pages 2019.2.5 + @ *2020-05-05 22:10:46 UTC* + + * 6877b7259a Merge pull request `#57096`_ from frogunder/man_pages_2019.2.5 + + * 58ea351a59 Update man_pages 2019.2.5 + +* **ISSUE** `#57027`_: (`ecarson`_) [BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix (refs: `#57090`_) + +* **ISSUE** `#57016`_: (`idontwanttosignin`_) [BUG] Requested method not exposed: minion_runner (refs: `#57090`_) + +* **PR** `#57090`_: (`dwoz`_) Address Issues in CVE Release + @ *2020-05-05 22:09:25 UTC* + + * 8fe0f66f94 Merge pull request `#57090`_ from dwoz/bugs_n_stuff + + * f3e8590bac Describe SEPs + + * aa1a9d340d Update hardening doc to mention 4505/4506 + + * ca303f7c0c Add link to salt-announce to documentation + + * c63253ef9c Address issues in cve release + +.. _`#57016`: https://github.com/saltstack/salt/issues/57016 +.. _`#57027`: https://github.com/saltstack/salt/issues/57027 +.. _`#57090`: https://github.com/saltstack/salt/pull/57090 +.. _`#57096`: https://github.com/saltstack/salt/pull/57096 +.. _`dwoz`: https://github.com/dwoz +.. _`ecarson`: https://github.com/ecarson +.. _`frogunder`: https://github.com/frogunder +.. _`idontwanttosignin`: https://github.com/idontwanttosignin