Open Hour 2020-MAY-14
- Salt news and updates
- Feedback Item of the Week: RSS Feed
- Salt 2019.2.5 and 3000.3 Releases
- Approaching Vulnerable Releases
- Open community discussion and questions
- Announcement coming tomorrow with updated code freeze and release candidate dates. This will be the first time we get a release candidate out a few weeks before the GA
- PR Merge Jam was placed on hold due to CVE-related time constraints. If you have a PR, it needs to have passing tests by the 19th to make it into Sodium
- The Security RSS feed is live: https://www.saltstack.com/security-announcements/
- Issues addressed in the releases this week: https://github.com/saltstack/salt/issues/57027 and https://github.com/saltstack/salt/issues/57016.
- Several people are already on those packages downloading and updating them
- This doesn’t resolve issues related to CVEs. It fixes functional regressions. We aren’t anticipating any additional CVE-related patches.
- Bootstrap and Docker patches were updated as well
Moe Anderson and Open Hour Attendees
- This has been a common topic of discussion lately. Thanks to community for feedback about these releases. People want to know what to do with the out-of-support packages that are inherently vulnerable to the CVE. Unless they’re patched, downloading those versions opens risk of exploitation.
- Two schools of thought regarding unsupported versions
- We should keep the unsupported versions available because people will need them, and find ways to flag and alert people that they need to install the packages.
- Consistent with precedent in other projects, these versions should be removed and require people to make a special request to access them. That helps ensure that everyone who uses the older versions will know about and install the patch
- Why not refresh all of the packages? It’s not a viable option. Salt carries a custom setup with many distributions. It’s not a reasonable approach to refresh them all
- Will be making a decision on how to approach this, but needs further discussion. We’ll share the decision that is made on all channels.
- Security firm has told us that vulnerable packages are still being downloaded, but patch application hasn’t been automated
- Send thoughts on this topic to Moe