1============================ 2Salt 2015.8.13 Release Notes 3============================ 4 5Version 2015.8.13 is a bugfix release for :ref:`2015.8.0 <release-2015-8-0>`. 6 7 8Security Fixes 9============== 10 11**CVE-2017-5192** local_batch client external authentication not respected 12 13The ``LocalClient.cmd_batch()`` method client does not accept ``external_auth`` 14credentials and so access to it from salt-api has been removed for now. This 15vulnerability allows code execution for already-authenticated users and is only 16in effect when running salt-api as the ``root`` user. 17 18**CVE-2017-5200** Salt-api allows arbitrary command execution on a salt-master 19via Salt's ssh_client 20 21Users of Salt-API and salt-ssh could execute a command on the salt master via a 22hole when both systems were enabled. 23 24We recommend everyone on the 2015.8 branch upgrade to a patched release as soon 25as possible. 26