diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fd88914af8c..27cbe1534f32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,32 @@ Versions are `MAJOR.PATCH`. # Changelog +## 3006.6 (2024-01-26) + + +### Changed + +- Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` [#665924](https://github.com/saltstack/salt/issues/665924) + + +### Fixed + +- Fix un-closed transport in tornado netapi [#65759](https://github.com/saltstack/salt/issues/65759) + + +### Security + +- CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master + CVE-2024-22232 Prevent directory traversal attacks in the master's serve_file method. + These vulerablities were discovered and reported by: + Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) [#565](https://github.com/saltstack/salt/issues/565) +- Update some requirements which had some security issues: + + * Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA-j225-cvw7-qrx7 + * Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA-2mqj-m65w-jghx + * Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA-h5c8-rqwp-cp95 [#65830](https://github.com/saltstack/salt/issues/65830) + + ## 3006.5 (2023-12-12) diff --git a/changelog/565.security.md b/changelog/565.security.md deleted file mode 100644 index 5d7ec8202bac..000000000000 --- a/changelog/565.security.md +++ /dev/null @@ -1,4 +0,0 @@ -CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master -CVE-2024-22232 Prevent directory traversal attacks in the master's serve_file method. -These vulerablities were discovered and reported by: -Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) diff --git a/changelog/65759.fixed.md b/changelog/65759.fixed.md deleted file mode 100644 index 426cb3f24bf7..000000000000 --- a/changelog/65759.fixed.md +++ /dev/null @@ -1 +0,0 @@ -Fix un-closed transport in tornado netapi diff --git a/changelog/65830.security.md b/changelog/65830.security.md deleted file mode 100644 index 509b279126d7..000000000000 --- a/changelog/65830.security.md +++ /dev/null @@ -1,5 +0,0 @@ -Update some requirements which had some security issues: - -* Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA-j225-cvw7-qrx7 -* Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA-2mqj-m65w-jghx -* Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA-h5c8-rqwp-cp95 diff --git a/changelog/665924.changed.md b/changelog/665924.changed.md deleted file mode 100644 index fb06f9125c48..000000000000 --- a/changelog/665924.changed.md +++ /dev/null @@ -1 +0,0 @@ -Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` diff --git a/doc/man/salt-api.1 b/doc/man/salt-api.1 index 214422b243a4..ef5fc5ed68c9 100644 --- a/doc/man/salt-api.1 +++ b/doc/man/salt-api.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-API" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-API" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-api \- salt-api Command .sp @@ -109,6 +109,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-call.1 b/doc/man/salt-call.1 index 2e6698b8d4ac..5854684c3cea 100644 --- a/doc/man/salt-call.1 +++ b/doc/man/salt-call.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-CALL" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-CALL" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-call \- salt-call Documentation .SH SYNOPSIS @@ -262,6 +262,6 @@ output. Set to True or False. Default: none. .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-cloud.1 b/doc/man/salt-cloud.1 index 7dc0450cc5cd..75365f7ea893 100644 --- a/doc/man/salt-cloud.1 +++ b/doc/man/salt-cloud.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-CLOUD" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-CLOUD" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-cloud \- Salt Cloud Command .sp @@ -380,6 +380,6 @@ salt\-cloud \-m /path/to/cloud.map \-Q .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-cp.1 b/doc/man/salt-cp.1 index 015e1b3461ce..f0bc77a539c2 100644 --- a/doc/man/salt-cp.1 +++ b/doc/man/salt-cp.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-CP" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-CP" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-cp \- salt-cp Documentation .sp @@ -207,6 +207,6 @@ New in version 2016.3.7,2016.11.6,2017.7.0. .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-key.1 b/doc/man/salt-key.1 index f346507ed58d..35b6d1aa3d32 100644 --- a/doc/man/salt-key.1 +++ b/doc/man/salt-key.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-KEY" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-KEY" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-key \- salt-key Documentation .SH SYNOPSIS @@ -332,6 +332,6 @@ Auto\-create a signing key\-pair if it does not yet exist .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-master.1 b/doc/man/salt-master.1 index 1b54882a9b2e..2e3e0b5a8de7 100644 --- a/doc/man/salt-master.1 +++ b/doc/man/salt-master.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-MASTER" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-MASTER" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-master \- salt-master Documentation .sp @@ -114,6 +114,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-minion.1 b/doc/man/salt-minion.1 index d02a0bfa2e54..1be877af4790 100644 --- a/doc/man/salt-minion.1 +++ b/doc/man/salt-minion.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-MINION" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-MINION" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-minion \- salt-minion Documentation .sp @@ -115,6 +115,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-proxy.1 b/doc/man/salt-proxy.1 index 0f5b3b8e40e3..c7ce2d85acbf 100644 --- a/doc/man/salt-proxy.1 +++ b/doc/man/salt-proxy.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-PROXY" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-PROXY" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-proxy \- salt-proxy Documentation .sp @@ -123,6 +123,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-run.1 b/doc/man/salt-run.1 index 1535cbde86c5..e968134ca1c6 100644 --- a/doc/man/salt-run.1 +++ b/doc/man/salt-run.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-RUN" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-RUN" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-run \- salt-run Documentation .sp @@ -120,6 +120,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-ssh.1 b/doc/man/salt-ssh.1 index 5771453ad143..1ea3976ae100 100644 --- a/doc/man/salt-ssh.1 +++ b/doc/man/salt-ssh.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-SSH" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-SSH" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-ssh \- salt-ssh Documentation .SH SYNOPSIS @@ -365,6 +365,6 @@ to a JSON parser, use \fB\-\-static\fP as well. .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt-syndic.1 b/doc/man/salt-syndic.1 index 7a42e21c7676..b006b33bbb80 100644 --- a/doc/man/salt-syndic.1 +++ b/doc/man/salt-syndic.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT-SYNDIC" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT-SYNDIC" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt-syndic \- salt-syndic Documentation .sp @@ -116,6 +116,6 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP, .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt.1 b/doc/man/salt.1 index 127fce42145c..9197a01fd3fd 100644 --- a/doc/man/salt.1 +++ b/doc/man/salt.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt \- salt .SH SYNOPSIS @@ -354,6 +354,6 @@ to a JSON parser, use \fB\-\-static\fP as well. .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/salt.7 b/doc/man/salt.7 index a2232d27d5ae..88d600d0fcc8 100644 --- a/doc/man/salt.7 +++ b/doc/man/salt.7 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SALT" "7" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SALT" "7" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME salt \- Salt Documentation .SH SALT PROJECT @@ -85609,7 +85609,7 @@ built packages need to be placed in the correct locations. .INDENT 0.0 .IP \(bu 2 Place all salt packages for the applicable testing version in -\fB/pkg/artifacts/\fP\&. +\fB/artifacts/pkg/\fP\&. .IP \(bu 2 The onedir must be located under \fB/artifacts/\fP\&. .IP \(bu 2 @@ -85733,7 +85733,7 @@ artifact may look like \fBnox\-ubuntu\-20.04\-test\-pkgs\-onedir\-x86_64\fP\&. Place the artifacts in the correct location: .INDENT 3.0 .INDENT 3.5 -Unzip the packages and place them in \fB/pkg/artifacts/\fP\&. +Unzip the packages and place them in \fB/artifacts/pkg/\fP\&. .sp You must unzip and untar the onedir packages and place them in \fB/artifacts/\fP\&. Windows onedir requires an additional unzip @@ -116861,28 +116861,6 @@ salt \(aq*\(aq pkg.del_repo_key name=\(aqppa:foo/bar\(aq keyid_ppa=True .UNINDENT .INDENT 0.0 .TP -.B salt.modules.aptpkg.expand_repo_def(**kwargs) -Take a repository definition and expand it to the full pkg repository dict -that can be used for comparison. This is a helper function to make -the Debian/Ubuntu apt sources sane for comparison in the pkgrepo states. -.sp -This is designed to be called from pkgrepo states and will have little use -being called on the CLI. -.sp -CLI Examples: -.INDENT 7.0 -.INDENT 3.5 -.sp -.nf -.ft C -NOT USABLE IN THE CLI -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.INDENT 0.0 -.TP .B salt.modules.aptpkg.file_dict(*packages, **kwargs) List the files that belong to a package, grouped by package. Not specifying any packages will return a list of _every_ file on the system\(aqs @@ -194390,7 +194368,7 @@ Passes through all the parameters described in the \fI\%utils.http.query function\fP: .INDENT 7.0 .TP -.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3006.5\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) +.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3006.6\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs) Query a resource, and decode the return data .UNINDENT .INDENT 7.0 @@ -457920,7 +457898,7 @@ installed2 .UNINDENT .INDENT 0.0 .TP -.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/opt/actions\-runner/_work/salt/salt/.tools\-venvs/py3.10/docs/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) +.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/opt/actions\-runner/_work/salt\-priv/salt\-priv/.tools\-venvs/py3.10/docs/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs) Install buildout in a specific directory .sp It is a thin wrapper to modules.buildout.buildout @@ -478000,6 +477978,37 @@ Bump to \fBcryptography==41.0.4\fP due to \fI\%https://github.com/advisories/GHS .IP \(bu 2 Bump to \fBcryptography==41.0.7\fP due to \fI\%https://github.com/advisories/GHSA\-jfhm\-5ghh\-2f97\fP \fI\%#65643\fP .UNINDENT +(release\-3006.6)= +.SS Salt 3006.6 release notes +.SS Changelog +.SS Changed +.INDENT 0.0 +.IP \(bu 2 +Salt no longer time bombs user installations on code using \fBsalt.utils.versions.warn_until_date\fP \fI\%#665924\fP +.UNINDENT +.SS Fixed +.INDENT 0.0 +.IP \(bu 2 +Fix un\-closed transport in tornado netapi \fI\%#65759\fP +.UNINDENT +.SS Security +.INDENT 0.0 +.IP \(bu 2 +CVE\-2024\-22231 Prevent directory traversal when creating syndic cache directory on the master +CVE\-2024\-22232 Prevent directory traversal attacks in the master\(aqs serve_file method. +These vulerablities were discovered and reported by: +Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) \fI\%#565\fP +.IP \(bu 2 +Update some requirements which had some security issues: +.INDENT 2.0 +.IP \(bu 2 +Bump to \fBpycryptodome==3.19.1\fP and \fBpycryptodomex==3.19.1\fP due to \fI\%https://github.com/advisories/GHSA\-j225\-cvw7\-qrx7\fP +.IP \(bu 2 +Bump to \fBgitpython==3.1.41\fP due to \fI\%https://github.com/advisories/GHSA\-2mqj\-m65w\-jghx\fP +.IP \(bu 2 +Bump to \fBjinja2==3.1.3\fP due to \fI\%https://github.com/advisories/GHSA\-h5c8\-rqwp\-cp95\fP \fI\%#65830\fP +.UNINDENT +.UNINDENT .sp See \fI\%Install a release candidate\fP for more information about installing an RC when one is available. @@ -603011,6 +603020,6 @@ minions. \fISee also\fP: .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/man/spm.1 b/doc/man/spm.1 index 5e715ca48299..1930413db073 100644 --- a/doc/man/spm.1 +++ b/doc/man/spm.1 @@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "SPM" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt" +.TH "SPM" "1" "Generated on January 26, 2024 at 11:57:28 AM UTC." "3006.6" "Salt" .SH NAME spm \- Salt Package Manager Command .sp @@ -138,6 +138,6 @@ in that directory which describes them. .SH AUTHOR Thomas S. Hatch and many others, please see the Authors file .SH COPYRIGHT -2023 +2024 .\" Generated by docutils manpage writer. . diff --git a/doc/topics/releases/3006.6.md b/doc/topics/releases/3006.6.md new file mode 100644 index 000000000000..a38521023ba7 --- /dev/null +++ b/doc/topics/releases/3006.6.md @@ -0,0 +1,41 @@ +(release-3006.6)= +# Salt 3006.6 release notes + + + + + + + +## Changelog + +### Changed + +- Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` [#665924](https://github.com/saltstack/salt/issues/665924) + + +### Fixed + +- Fix un-closed transport in tornado netapi [#65759](https://github.com/saltstack/salt/issues/65759) + + +### Security + +- CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master + CVE-2024-22232 Prevent directory traversal attacks in the master's serve_file method. + These vulerablities were discovered and reported by: + Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) [#565](https://github.com/saltstack/salt/issues/565) +- Update some requirements which had some security issues: + + * Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA-j225-cvw7-qrx7 + * Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA-2mqj-m65w-jghx + * Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA-h5c8-rqwp-cp95 [#65830](https://github.com/saltstack/salt/issues/65830) diff --git a/doc/topics/releases/templates/3006.6.md.template b/doc/topics/releases/templates/3006.6.md.template new file mode 100644 index 000000000000..10bc39cc6495 --- /dev/null +++ b/doc/topics/releases/templates/3006.6.md.template @@ -0,0 +1,14 @@ +(release-3006.6)= +# Salt 3006.6 release notes{{ unreleased }} +{{ warning }} + + + + +## Changelog +{{ changelog }} diff --git a/pkg/debian/changelog b/pkg/debian/changelog index 12f388a11280..404ae3221345 100644 --- a/pkg/debian/changelog +++ b/pkg/debian/changelog @@ -1,3 +1,29 @@ +salt (3006.6) stable; urgency=medium + + + # Changed + + * Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` [#665924](https://github.com/saltstack/salt/issues/665924) + + # Fixed + + * Fix un-closed transport in tornado netapi [#65759](https://github.com/saltstack/salt/issues/65759) + + # Security + + * CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master + CVE*2024-22232 Prevent directory traversal attacks in the master's serve_file method. + These vulerablities were discovered and reported by: + Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) [#565](https://github.com/saltstack/salt/issues/565) + * Update some requirements which had some security issues: + + * Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA*j225-cvw7-qrx7 + * Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA*2mqj-m65w-jghx + * Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA*h5c8-rqwp-cp95 [#65830](https://github.com/saltstack/salt/issues/65830) + + + -- Salt Project Packaging Fri, 26 Jan 2024 11:56:46 +0000 + salt (3006.5) stable; urgency=medium diff --git a/pkg/rpm/salt.spec b/pkg/rpm/salt.spec index ed350a9e8dc8..90fcfb0f37b2 100644 --- a/pkg/rpm/salt.spec +++ b/pkg/rpm/salt.spec @@ -31,7 +31,7 @@ %define fish_dir %{_datadir}/fish/vendor_functions.d Name: salt -Version: 3006.5 +Version: 3006.6 Release: 0 Summary: A parallel remote execution system Group: System Environment/Daemons @@ -583,6 +583,29 @@ fi %changelog +* Fri Jan 26 2024 Salt Project Packaging - 3006.6 + +# Changed + +- Salt no longer time bombs user installations on code using `salt.utils.versions.warn_until_date` [#665924](https://github.com/saltstack/salt/issues/665924) + +# Fixed + +- Fix un-closed transport in tornado netapi [#65759](https://github.com/saltstack/salt/issues/65759) + +# Security + +- CVE-2024-22231 Prevent directory traversal when creating syndic cache directory on the master + CVE-2024-22232 Prevent directory traversal attacks in the master's serve_file method. + These vulerablities were discovered and reported by: + Yudi Zhao(Huawei Nebula Security Lab),Chenwei Jiang(Huawei Nebula Security Lab) [#565](https://github.com/saltstack/salt/issues/565) +- Update some requirements which had some security issues: + + * Bump to `pycryptodome==3.19.1` and `pycryptodomex==3.19.1` due to https://github.com/advisories/GHSA-j225-cvw7-qrx7 + * Bump to `gitpython==3.1.41` due to https://github.com/advisories/GHSA-2mqj-m65w-jghx + * Bump to `jinja2==3.1.3` due to https://github.com/advisories/GHSA-h5c8-rqwp-cp95 [#65830](https://github.com/saltstack/salt/issues/65830) + + * Tue Dec 12 2023 Salt Project Packaging - 3006.5 # Removed