Our virtual user conference SaltConf21 will be November 3-4! Call for Speakers will be open June 14 - July 26.

Open Hour 2020-MAY-14

Agenda

  • Salt news and updates
  • Feedback Item of the Week: RSS Feed
  • Salt 2019.2.5 and 3000.3 Releases
  • Approaching Vulnerable Releases
  • Open community discussion and questions

Salt News and Updates

Cassandra Faris

  • Announcement coming tomorrow with updated code freeze and release candidate dates. This will be the first time we get a release candidate out a few weeks before the GA
  • PR Merge Jam was placed on hold due to CVE-related time constraints. If you have a PR, it needs to have passing tests by the 19th to make it into Sodium
  • The Security RSS feed is live: https://www.saltstack.com/security-announcements/

2019.2.5 and 3000.3 Releases

Moe Anderson

Recalling Vulnerable Releases

Moe Anderson and Open Hour Attendees

  • This has been a common topic of discussion lately. Thanks to community for feedback about these releases. People want to know what to do with the out-of-support packages that are inherently vulnerable to the CVE. Unless they’re patched, downloading those versions opens risk of exploitation.
  • Two schools of thought regarding unsupported versions
    • We should keep the unsupported versions available because people will need them, and find ways to flag and alert people that they need to install the packages.
    • Consistent with precedent in other projects, these versions should be removed and require people to make a special request to access them. That helps ensure that everyone who uses the older versions will know about and install the patch
  • Why not refresh all of the packages? It’s not a viable option. Salt carries a custom setup with many distributions. It’s not a reasonable approach to refresh them all
  • Will be making a decision on how to approach this, but needs further discussion. We’ll share the decision that is made on all channels.
  • Security firm has told us that vulnerable packages are still being downloaded, but patch application hasn’t been automated
  • Send thoughts on this topic to Moe