Security Fix
CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com
Changes for v2017.7.0..v2017.7.1
Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):
Generated at: 2017-07-26T01:09:40Z
Statistics:
- Total Merges: 11
- Total Issue references: 9
- Total PR references: 22
Changes:
PR #42548: (gtmanfred) pass in empty kwarg for reactor
@ 2017-07-26T00:41:20Z
- ISSUE #460: (whiteinge) Add a topic and a ref for modules/states/returners/renderers/runners
| refs: #42548
- 711b742c54 Merge pull request #42548 from gtmanfred/2017.7.1
- 0257c1dc32 pass in empty kwarg for reactor
- b948e980d2 update chunk, not kwarg in chunk
PR #42522: (gtmanfred) pacman wildcard is only for repository installs
@ 2017-07-24T20:51:05Z
- ISSUE #42519: (xuhcc) Error when installing package from file under Arch Linux
| refs: #42522
- 50c1635dcc Merge pull request #42522 from gtmanfred/2017.7.1
- 7787fb9e1b pacman wildcard is only for repository installs
PR #42508: (rallytime) Back-port #42474 to 2017.7.1
@ 2017-07-24T20:49:51Z
- PR #42474: (whiteinge) Cmd arg kwarg parsing test
| refs: #42508
- PR #39646: (terminalmage) Handle deprecation of passing string args to load_args_and_kwargs
| refs: #42474
- 05c07ac049 Merge pull request #42508 from rallytime/bp-42474
- 76fb074433 Add a test.arg variant that cleans the pub kwargs by default
- 624f63648e Lint fixes
- d246a5fc61 Add back support for string kwargs
- 854e098aa0 Add LocalClient.cmd test for arg/kwarg parsing
PR #42472: (rallytime) Back-port #42435 to 2017.7.1
@ 2017-07-24T15:11:13Z
- ISSUE #42427: (grichmond-salt) Issue Passing Variables created from load_json as Inline Pillar Between States
| refs: #42435
- PR #42435: (terminalmage) Modify our custom YAML loader to treat unicode literals as unicode strings
| refs: #42472
- 95fe2558e4 Merge pull request #42472 from rallytime/bp-42435
- 5c47af5b98 Modify our custom YAML loader to treat unicode literals as unicode strings
PR #42473: (rallytime) Back-port #42436 to 2017.7.1
@ 2017-07-24T15:10:29Z
- ISSUE #42374: (tyhunt99) [2017.7.0] salt-run mange.versions throws exception if minion is offline or unresponsive
| refs: #42436
- PR #42436: (garethgreenaway) Fixes to versions function in manage runner
| refs: #42473
- 5b99d45f54 Merge pull request #42473 from rallytime/bp-42436
- 82ed919803 Updating the versions function inside the manage runner to account for when a minion is offline and we are unable to determine it's version.
PR #42471: (rallytime) Back-port #42399 to 2017.7.1
@ 2017-07-24T15:09:50Z
- ISSUE #42381: (zebooka) Git.detached broken in 2017.7.0
| refs: #42399
- ISSUE #38878: (tomlaredo) [Naming consistency] git.latest "rev" option VS git.detached "ref" option
| refs: #38898
- PR #42399: (rallytime) Update old "ref" references to "rev" in git.detached state
| refs: #42471
- PR #38898: (terminalmage) git.detached: rename ref to rev for consistency
| refs: #42399
- 3d1a2d3f9f Merge pull request #42471 from rallytime/bp-42399
- b9a4669e5a Update old "ref" references to "rev" in git.detached state
PR #42470: (rallytime) Back-port #42031 to 2017.7.1
@ 2017-07-24T15:09:30Z
- ISSUE #42400: (Enquier) Conflict in execution of passing pillar data to orch/reactor event executions 2017.7.0
| refs: #42031
- PR #42031: (skizunov) Fix: Reactor emits critical error
| refs: #42470
- 09766bccbc Merge pull request #42470 from rallytime/bp-42031
- 0a0c6287a4 Fix: Reactor emits critical error
PR #42469: (rallytime) Back-port #42027 to 2017.7.1
@ 2017-07-21T22:41:02Z
- ISSUE #41949: (jrporcaro) Event returner doesn't work with Windows Master
| refs: #42027
- PR #42027: (gtmanfred) import salt.minion for EventReturn for Windows
| refs: #42469
- d7b172a15b Merge pull request #42469 from rallytime/bp-42027
- ed612b4ee7 import salt.minion for EventReturn for Windows
PR #42466: (rallytime) Back-port #42452 to 2017.7.1
@ 2017-07-21T19:41:24Z
- PR #42452: (Ch3LL) update windows urls to new py2/py3 naming scheme
| refs: #42466
- 8777b1a825 Merge pull request #42466 from rallytime/bp-42452
- c10196f68c update windows urls to new py2/py3 naming scheme
PR #42439: (rallytime) Back-port #42409 to 2017.7.1
@ 2017-07-21T17:38:10Z
- PR #42409: (twangboy) Add Scripts to build Py3 on Mac
| refs: #42439
- fceaaf41d0 Merge pull request #42439 from rallytime/bp-42409
- 8176964b41 Remove build and dist, sign pkgs
- 2c14d92a07 Fix hard coded pip path
- 82fdd7c2e1 Add support for Py3
- 2478447246 Update Python and other reqs
PR #42441: (rallytime) Back-port #42433 to 2017.7.1
@ 2017-07-21T17:37:01Z
- ISSUE #42403: (astronouth7303) [2017.7] Pillar empty when state is applied from orchestrate
| refs: #42433
- PR #42433: (terminalmage) Only force saltenv/pillarenv to be a string when not None
| refs: #42441
- 660400560b Merge pull request #42441 from rallytime/bp-42433
- 17f347123a Only force saltenv/pillarenv to be a string when not None