Merge pull request #8 from saltstack/releasenotes_30002

Update 3000.2 release notes
saltstack · Apr 29, 2020 · 37668c3 · 37668c3
2 parents 3d99b10 + 2ac6634
commit 37668c3
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/doc/topics/releases/3000.2.rst b/doc/topics/releases/3000.2.rst
@@ -22,3 +22,22 @@ An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2
 The salt-master process ClearFuncs class allows access to some methods
 that improperly sanitize paths. These methods allow arbitrary
 directory access to authenticated users.
+
+
+Known Issue
+===========
+
+Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients.
+Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called.
+The name of one of these whitlisted methods on AESFuncs had a typo.
+The _minion_runner method should be minion_runner (without the underscore prefix).
+This typo breaks the publish module’s runner method.
+Calling runners, for example:
+
+.. code-block:: bash
+
+    salt minion publish.runner manage.down
+
+Will not work, and you will receive and empty reply from the salt master.
+
+This will be addressed in the Sodium release of Salt set for mid-June 2020.