1.. _release-3001-5: 2 3========================= 4Salt 3001.5 Release Notes 5========================= 6 7Version 3001.5 is a CVE fix release for :ref:`3001 <release-3001>`. 8 9Fixed 10----- 11 12- CVE-2020-28243 - Fix local privilege escalation in the restartcheck module. 13 14- CVE-2020-28972 - Ensure authentication to vcenter, vsphere, and esxi server 15 validates the SSL/TLS certificate by default. If you want to skip SSL verification 16 you can use `verify_ssl: False`. 17 18- CVE-2020-35662 - Ensure the asam runner, qingcloud, splunk returner, panos 19 proxy, cimc proxy, zenoss module, esxi module, vsphere module, glassfish 20 module, bigip module, and keystone module validate SSL by default. If you want 21 to skip SSL verification you can use `verify_ssl: False`. 22 23- CVE-2021-3148 - Fix a command injection in the Salt-API when using the 24 Salt-SSH client. 25 26- CVE-2021-3144 - Fix eauth tokens can be used once after expiration 27 28- CVE-2021-25281 - Fix salt-api so it honors eauth credentials for the 29 wheel_async client. 30 31- CVE-2021-25282 - Fix the salt.wheel.pillar_roots.write method so it is not 32 vulnerable to directory traversal. 33 34- CVE-2021-25283 - Fix the jinja render to protect against server side template 35 injection attacks. 36 37- CVE-2021-25284 - Fix cmdmod so it will not log credentials to log levels info 38 and error. 39 40- CVE-2021-3197 - Fix ssh client to remove ProxyCommand from arguments provided 41 by cli and netapi. 42