| So, is being addressed not has been addressed? Is REAT the future of Salt? The most relevant I could find wasn't very clear: https://groups.google.com/forum/#!topic/salt-users/nh8MqRiHV... As far as I can tell RAET is still optional/Beta?: http://docs.saltstack.com/en/latest/topics/releases/2014.7.0... I tried finding out if CVEs had been assigned to the AES/RSA issues, but as far as I can tell there weren't any CVEs assigned: http://www.cvedetails.com/vulnerability-list/vendor_id-12943... Mail suggesting CVE for RSA exponent:
http://www.openwall.com/lists/oss-security/2013/07/01/1 But the CVE is only reserved, not assigned?:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2228 With the history of some very serious issues with the salt crypto, I'm a little concerned that there doesn't seem to exist any good documentation on the past and current state of the protocol security from the salt project? As I said up-thread -- perhaps I'm not being fair, perhaps I'm just not aware of where to look -- but I've yet to see anything that puts me entirely at ease: have new members been added to the team? Has there been a successful audit? Did the attacks turn out to not be practical? While I might not have the same confidence in paramiko as I do in openssh -- at least it works with a well-tested protocol -- and more importantly -- with a rather well-known protocol -- it's easier to evaluate. If someone can get root access via ssh that is bad. If the risk is limited to someone stealing a private key, then that is at least something to plan around (and make decisions around). |
http://www.saltstack.com/community/