Salt 2017.7.1 Release Notes

Version 2017.7.1 is a bugfix release for 2017.7.0.

Security Fix

CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master

Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com

Changes for v2017.7.0..v2017.7.1

Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):

Generated at: 2017-07-26T01:09:40Z

Statistics:

  • Total Merges: 11
  • Total Issue references: 9
  • Total PR references: 22

Changes:

  • PR #42548: (gtmanfred) pass in empty kwarg for reactor @ 2017-07-26T00:41:20Z

    • ISSUE #460: (whiteinge) Add a topic and a ref for modules/states/returners/renderers/runners | refs: #42548
    • 711b742c54 Merge pull request #42548 from gtmanfred/2017.7.1
    • 0257c1dc32 pass in empty kwarg for reactor
    • b948e980d2 update chunk, not kwarg in chunk
  • PR #42522: (gtmanfred) pacman wildcard is only for repository installs @ 2017-07-24T20:51:05Z

    • ISSUE #42519: (xuhcc) Error when installing package from file under Arch Linux | refs: #42522
    • 50c1635dcc Merge pull request #42522 from gtmanfred/2017.7.1
    • 7787fb9e1b pacman wildcard is only for repository installs
  • PR #42508: (rallytime) Back-port #42474 to 2017.7.1 @ 2017-07-24T20:49:51Z

    • PR #42474: (whiteinge) Cmd arg kwarg parsing test | refs: #42508
    • PR #39646: (terminalmage) Handle deprecation of passing string args to load_args_and_kwargs | refs: #42474
    • 05c07ac049 Merge pull request #42508 from rallytime/bp-42474
    • 76fb074433 Add a test.arg variant that cleans the pub kwargs by default
    • 624f63648e Lint fixes
    • d246a5fc61 Add back support for string kwargs
    • 854e098aa0 Add LocalClient.cmd test for arg/kwarg parsing
  • PR #42472: (rallytime) Back-port #42435 to 2017.7.1 @ 2017-07-24T15:11:13Z

    • ISSUE #42427: (grichmond-salt) Issue Passing Variables created from load_json as Inline Pillar Between States | refs: #42435
    • PR #42435: (terminalmage) Modify our custom YAML loader to treat unicode literals as unicode strings | refs: #42472
    • 95fe2558e4 Merge pull request #42472 from rallytime/bp-42435
    • 5c47af5b98 Modify our custom YAML loader to treat unicode literals as unicode strings
  • PR #42473: (rallytime) Back-port #42436 to 2017.7.1 @ 2017-07-24T15:10:29Z

    • ISSUE #42374: (tyhunt99) [2017.7.0] salt-run mange.versions throws exception if minion is offline or unresponsive | refs: #42436
    • PR #42436: (garethgreenaway) Fixes to versions function in manage runner | refs: #42473
    • 5b99d45f54 Merge pull request #42473 from rallytime/bp-42436
    • 82ed919803 Updating the versions function inside the manage runner to account for when a minion is offline and we are unable to determine it's version.
  • PR #42471: (rallytime) Back-port #42399 to 2017.7.1 @ 2017-07-24T15:09:50Z

    • ISSUE #42381: (zebooka) Git.detached broken in 2017.7.0 | refs: #42399
    • ISSUE #38878: (tomlaredo) [Naming consistency] git.latest "rev" option VS git.detached "ref" option | refs: #38898
    • PR #42399: (rallytime) Update old "ref" references to "rev" in git.detached state | refs: #42471
    • PR #38898: (terminalmage) git.detached: rename ref to rev for consistency | refs: #42399
    • 3d1a2d3f9f Merge pull request #42471 from rallytime/bp-42399
    • b9a4669e5a Update old "ref" references to "rev" in git.detached state
  • PR #42470: (rallytime) Back-port #42031 to 2017.7.1 @ 2017-07-24T15:09:30Z

    • ISSUE #42400: (Enquier) Conflict in execution of passing pillar data to orch/reactor event executions 2017.7.0 | refs: #42031
    • PR #42031: (skizunov) Fix: Reactor emits critical error | refs: #42470
    • 09766bccbc Merge pull request #42470 from rallytime/bp-42031
    • 0a0c6287a4 Fix: Reactor emits critical error
  • PR #42469: (rallytime) Back-port #42027 to 2017.7.1 @ 2017-07-21T22:41:02Z

    • ISSUE #41949: (jrporcaro) Event returner doesn't work with Windows Master | refs: #42027
    • PR #42027: (gtmanfred) import salt.minion for EventReturn for Windows | refs: #42469
    • d7b172a15b Merge pull request #42469 from rallytime/bp-42027
    • ed612b4ee7 import salt.minion for EventReturn for Windows
  • PR #42466: (rallytime) Back-port #42452 to 2017.7.1 @ 2017-07-21T19:41:24Z

    • PR #42452: (Ch3LL) update windows urls to new py2/py3 naming scheme | refs: #42466
    • 8777b1a825 Merge pull request #42466 from rallytime/bp-42452
    • c10196f68c update windows urls to new py2/py3 naming scheme
  • PR #42439: (rallytime) Back-port #42409 to 2017.7.1 @ 2017-07-21T17:38:10Z

    • PR #42409: (twangboy) Add Scripts to build Py3 on Mac | refs: #42439
    • fceaaf41d0 Merge pull request #42439 from rallytime/bp-42409
    • 8176964b41 Remove build and dist, sign pkgs
    • 2c14d92a07 Fix hard coded pip path
    • 82fdd7c2e1 Add support for Py3
    • 2478447246 Update Python and other reqs
  • PR #42441: (rallytime) Back-port #42433 to 2017.7.1 @ 2017-07-21T17:37:01Z

    • ISSUE #42403: (astronouth7303) [2017.7] Pillar empty when state is applied from orchestrate | refs: #42433
    • PR #42433: (terminalmage) Only force saltenv/pillarenv to be a string when not None | refs: #42441
    • 660400560b Merge pull request #42441 from rallytime/bp-42433
    • 17f347123a Only force saltenv/pillarenv to be a string when not None