Salt 2015.8.13 Release Notes

Version 2015.8.13 is a bugfix release for 2015.8.0.

Security Fixes

CVE-2017-5192: local_batch client external authentication not respected

The LocalClient.cmd_batch() method client does not accept external_auth credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already-authenticated users and is only in effect when running salt-api as the root user.

CVE-2017-5200: Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client

Users of Salt-API and salt-ssh could execute a command on the salt master via a hole when both systems were enabled.

We recommend everyone on the 2015.8 branch upgrade to a patched release as soon as possible.

Changes for v2015.8.12..v2015.8.13

Extended changelog courtesy of Todd Stansell (

Generated at: 2017-01-09T21:17:06Z


  • Total Merges: 3
  • Total Issue references: 3
  • Total PR references: 5


  • 3428232 Clean up tests and docs for batch execution
  • 3d8f3d1 Remove batch execution from NetapiClient and Saltnado
  • 97b0f64 Lintfix
  • d151666 Add explanation comment
  • 62f2c87 Add docstring
  • 9b0a786 Explain what it is about and how to configure that
  • 5ea3579 Pick up a specified roster file from the configured locations
  • 3a8614c Disable custom rosters in API
  • c0e5a11 Add roster disable flag