Arch Linux Security Advisory ASA-202001-7 ========================================= Severity: Medium Date : 2020-01-29 CVE-ID : CVE-2019-17361 Package : salt Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1087 Summary ======= The package salt before version 2019.2.3-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 2019.2.3-1. # pacman -Syu "salt>=2019.2.3-1" The problem has been fixed upstream in version 2019.2.3. Workaround ========== None. Description =========== With the Salt NetAPI enabled in addition to having a SSH roster defined, unauthenticated access is possible when specifying the client as SSH. Additionally, when the raw_shell option is specified any arbitrary command may be run on the Salt master when specifying SSH options. Impact ====== A remote unauthenticated attacker is able to execute arbitrary code on the affected host. References ========== https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd... https://security.archlinux.org/CVE-2019-17361