Address Issues in CVE Release [3000.3]

doc/topics/hardening.rst

@@ -36,7 +36,8 @@ General hardening tips
 - Don't expose the Salt master any more than what is required.
 - Harden the system as you would with any high-priority target.
 - Keep the system patched and up-to-date.
-- Use tight firewall rules.
+- Use tight firewall rules. Pay particular attention to TCP/4505 and TCP/4506
+  on the salt master and avoid exposing these ports unnecessarily.
 
 Salt hardening tips
 ===================

doc/topics/index.rst

@@ -110,6 +110,12 @@ is hosted by Google Groups. It is open to new members.
 
 .. _`salt-users mailing list`: https://groups.google.com/forum/#!forum/salt-users
 
+Additionally, all users of Salt should be subscribed to the Announcements mailing
+list which contains important updates about Salt, such as new releaes and
+security-related announcements. This list is low-traffic.
+
+.. _`salt-announce mailing list`: https://groups.google.com/forum/#!forum/salt-announce
+
 
 IRC
 ===
@@ -135,6 +141,11 @@ is happening in Salt development:
 
 |saltrepo|
 
+Long-term planning and strategic decisions are handled via Salt Enhancement Proposals
+and can be found on GitHub.
+
+.. _`Salt Enhancement Proposals`: https://github.com/saltstack/salt-enhancement-proposals
+
 
 Blogs
 =====

doc/topics/releases/2019.2.5.rst

@@ -0,0 +1,52 @@
+===========================
+Salt 2019.2.5 Release Notes
+===========================
+
+Version 2019.2.5 is a bug-fix release for :ref:`2019.2.0 <release-2019-2-0>`.
+
+Statistics
+==========
+
+- Total Merges: **2**
+- Total Issue References: **2**
+- Total PR References: **2**
+
+- Contributors: **2** (`dwoz`_, `frogunder`_)
+
+Changelog for v2019.2.4..v2019.2.5
+==================================
+
+*Generated at: 2020-05-05 22:43:12 UTC*
+
+* **PR** `#57096`_: (`frogunder`_) Update man_pages 2019.2.5
+  @ *2020-05-05 22:10:46 UTC*
+
+  * 6877b7259a Merge pull request `#57096`_ from frogunder/man_pages_2019.2.5
+
+  * 58ea351a59 Update man_pages 2019.2.5
+
+* **ISSUE** `#57027`_: (`ecarson`_) [BUG] Master running 2019.2.4 or 3000.2 unable to synchronize files using saltutil.sync_all to 2017.7.1 minion due to CVE fix (refs: `#57090`_)
+
+* **ISSUE** `#57016`_: (`idontwanttosignin`_) [BUG] Requested method not exposed: minion_runner (refs: `#57090`_)
+
+* **PR** `#57090`_: (`dwoz`_) Address Issues in CVE Release
+  @ *2020-05-05 22:09:25 UTC*
+
+  * 8fe0f66f94 Merge pull request `#57090`_ from dwoz/bugs_n_stuff
+
+  * f3e8590bac Describe SEPs
+
+  * aa1a9d340d Update hardening doc to mention 4505/4506
+
+  * ca303f7c0c Add link to salt-announce to documentation
+
+  * c63253ef9c Address issues in cve release
+
+.. _`#57016`: https://github.com/saltstack/salt/issues/57016
+.. _`#57027`: https://github.com/saltstack/salt/issues/57027
+.. _`#57090`: https://github.com/saltstack/salt/pull/57090
+.. _`#57096`: https://github.com/saltstack/salt/pull/57096
+.. _`dwoz`: https://github.com/dwoz
+.. _`ecarson`: https://github.com/ecarson
+.. _`frogunder`: https://github.com/frogunder
+.. _`idontwanttosignin`: https://github.com/idontwanttosignin

salt/master.py

@@ -1177,9 +1177,9 @@ class AESFuncs(TransportMethods):
         'verify_minion', '_master_tops', '_ext_nodes', '_master_opts',
         '_mine_get', '_mine', '_mine_delete', '_mine_flush', '_file_recv',
         '_pillar', '_minion_event', '_handle_minion_event', '_return',
-        '_syndic_return', '_minion_runner', 'pub_ret', 'minion_pub',
-        'minion_publish', 'revoke_auth', 'run_func', '_serve_file',
-        '_file_find', '_file_hash', '_file_find_and_stat', '_file_list',
+        '_syndic_return', 'minion_runner', 'pub_ret', 'minion_pub',
+        'minion_publish', 'revoke_auth', '_serve_file', '_file_find',
+        '_file_hash', '_file_hash_and_stat', '_file_list',
         '_file_list_emptydirs', '_dir_list', '_symlink_list', '_file_envs',
     )
 

salt/wheel/config.py

@@ -12,6 +12,7 @@
 import salt.config
 import salt.utils.files
 import salt.utils.yaml
+import salt.utils.verify
 
 # Import 3rd-party libs
 from salt.ext import six

tests/integration/master/test_clear_funcs.py

@@ -176,6 +176,7 @@ def test_clearfuncs_config(self):
         ret = clear_channel.send(msg, timeout=5)
         assert not os.path.exists(os.path.join(self.conf_dir, 'evil.conf')), \
             'Wrote file via directory traversal'
+        assert ret['data']['return'] == 'Invalid path'
 
 
 class ClearFuncsFileRoots(TestCase):

tests/unit/test_master.py

@@ -32,6 +32,115 @@ def bang(self):
         assert foo.get_method('bar') is not None
         assert foo.get_method('bang') is None
 
+    def test_aes_funcs_white(self):
+        '''
+        Validate methods exposed on AESFuncs exist and are callable
+        '''
+        opts = salt.config.master_config(None)
+        aes_funcs = salt.master.AESFuncs(opts)
+        for name in aes_funcs.expose_methods:
+            func = getattr(aes_funcs, name, None)
+            assert callable(func)
+
+    def test_aes_funcs_black(self):
+        '''
+        Validate methods on AESFuncs that should not be called remotely
+        '''
+        opts = salt.config.master_config(None)
+        aes_funcs = salt.master.AESFuncs(opts)
+        # Any callable that should not explicitly be allowed should be added
+        # here.
+        blacklist_methods = [
+            '_AESFuncs__setup_fileserver',
+            '_AESFuncs__verify_load',
+            '_AESFuncs__verify_minion',
+            '_AESFuncs__verify_minion_publish',
+            '__class__',
+            '__delattr__',
+            '__dir__',
+            '__eq__',
+            '__format__',
+            '__ge__',
+            '__getattribute__',
+            '__gt__',
+            '__hash__',
+            '__init__',
+            '__init_subclass__',
+            '__le__',
+            '__lt__',
+            '__ne__',
+            '__new__',
+            '__reduce__',
+            '__reduce_ex__',
+            '__repr__',
+            '__setattr__',
+            '__sizeof__',
+            '__str__',
+            '__subclasshook__',
+            'get_method',
+            'run_func',
+
+        ]
+        for name in dir(aes_funcs):
+            if name in aes_funcs.expose_methods:
+                continue
+            if not callable(getattr(aes_funcs, name)):
+                continue
+            assert name in blacklist_methods, name
+
+    def test_clear_funcs_white(self):
+        '''
+        Validate methods exposed on ClearFuncs exist and are callable
+        '''
+        opts = salt.config.master_config(None)
+        clear_funcs = salt.master.ClearFuncs(opts, {})
+        for name in clear_funcs.expose_methods:
+            func = getattr(clear_funcs, name, None)
+            assert callable(func)
+
+    def test_clear_funcs_black(self):
+        '''
+        Validate methods on ClearFuncs that should not be called remotely
+        '''
+        opts = salt.config.master_config(None)
+        clear_funcs = salt.master.ClearFuncs(opts, {})
+        blacklist_methods = [
+            '__class__',
+            '__delattr__',
+            '__dir__',
+            '__eq__',
+            '__format__',
+            '__ge__',
+            '__getattribute__',
+            '__gt__',
+            '__hash__',
+            '__init__',
+            '__init_subclass__',
+            '__le__',
+            '__lt__',
+            '__ne__',
+            '__new__',
+            '__reduce__',
+            '__reduce_ex__',
+            '__repr__',
+            '__setattr__',
+            '__sizeof__',
+            '__str__',
+            '__subclasshook__',
+            '_prep_auth_info',
+            '_prep_jid',
+            '_prep_pub',
+            '_send_pub',
+            '_send_ssh_pub',
+            'get_method',
+        ]
+        for name in dir(clear_funcs):
+            if name in clear_funcs.expose_methods:
+                continue
+            if not callable(getattr(clear_funcs, name)):
+                continue
+            assert name in blacklist_methods, name
+
 
 class ClearFuncsTestCase(TestCase):
     '''