in_ requisites (issue 30820)
This issue affects all users targeting an explicit
- name: <name> with a
requisite (such as
require_in). If you are not using explicit
name: <name> arguments, are targeting with the state ID instead of the name,
or are not using
_in requisites, then you should be safe to upgrade to
This issue is resolved in the 2015.8.5 release.
CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.
This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master. Thank you to Sebastian Krahmer <firstname.lastname@example.org> for bringing this issue to our attention.
We recommend everyone upgrade to 2015.8.4 as soon as possible.
PR #28994: timcharper Salt S3 module has learned how to assume IAM roles
state.highstate. This allows the salt
state compiler to process sls data in a state run without actually calling
the state functions, thus providing feedback on the validity of the arguments
used for the functions beyond the preprocessing validation provided by
state.show_sls (issue 30118 and issue 30189).
salt '*' state.sls core,edit.vim mock=True salt '*' state.highstate mock=True salt '*' state.apply edit.vim mock=True
Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):
Generated at: 2016-01-25T17:48:35Z
Total Merges: 320