Log message:
salt salt-docs: updated to 3007.10
3007.10
Fixed an issue with how existing entries are tracked in grains.list_present. \ 
Previous entries were only considered if the grain previously existed. If not \ 
then the state would not "see" the duplicates. Removed the dubious \ 
tracking via "context" and focused on using checking for existance in \ 
the live grains.
Fixed issue with complex objects in grains.list_present. Original fix
Fixed ssh_auth.present to respect provided options when read keys from source file
Fixed ssh_auth regexp to handle key types with @ or .
Fixed a TypeError exception thrown by ssh_known_hosts.present when the specified \ 
user account does not exist
Fixed false identification of text as binary in salt.utils.file.is_binary if \ 
utf-8 multibyte character is truncated at end of 2048 bytes sample.
Fix runtime error on OpenBSD by adding support for the osfullname grain
Fix closing of TCP transport channels and avoid additional errors
Fixed false negative "is not text" in salt.utils.files.is_text if an \ 
utf-8 multibyte character is truncated at end of 512 bytes sample.
fixes salt runner mine.get not returning value if allow_tgt is defined in mine \ 
function
Forward minion list events in Syndic cluster mode to enable proper job \ 
completion detection
Fixes issue with asyncio logger not using SaltLoggingClass and causing \ 
exceptions when "%(jid)s" is used in a log format.
Fixed ssh_auth.present and ssh.absent to report changes if some key was added or \ 
removed when reading keys from a source file
Test loader now prevents .pyc files from being written during test run using \ 
sys.dont_write_bytecode = True. This results in 3x faster test execution and \ 
reduced IO operations
Fixes a issue where variable names were reversed when detecting domain and \ 
username from a username.
Changed the glob pattern for APT sources from **/*.list to *.list, in line with \ 
APT's default pattern in sources.list.d
Remove unwanted error log from aptpkg
Use the packaging library instead of the deprecated pkg_resources library for \ 
working with version to avoid a deprecation warning when running salt commands
Fixes issue with disk.tune passing incorrect args for read-only and read-write \ 
to blockdev. Improves argument and error handling in blockdev.
Enhance mod_data to Use Global Loader Extensions in salt-ssh
Fix race condition in Salt Syndic when multiple Syndic Masters return at the \ 
same time and the Master of Masters tries to write to the same file in the job \ 
cache.
Patch tornado for CVE-2023-28370
Fixed some of the commands in the Contributing guide.
Fix check for non-blockdev devices in blockdev.tuned. Check always returned True \ 
previously, now actually checks with file.is_blkdev.
Added documentation and CLI help text for the --disable-keepalive option for \ 
salt-minion and salt-proxy, which disables the automatic restart mechanism when \ 
external process managers like systemd handle daemon restarts.
Upgrade relenv to 0.22.1 and fix Python 3.13 support
Updated relenv from 0.21.2 to 0.22.1
Fixed backports module import for Python 3.13 compatibility
Fixed RUSTFLAGS conflicts when compiling cryptography package
Fixed toolchain cache location for relenv 0.22.1
Added Obsoletes directives to prevent EPEL salt3006 package conflicts on Rocky 9
Fixed minion process name pollution when multiprocessing is disabled

Log message:
salt salt-docs: updated to 3007.9
3007.9
FIXED
Render post/pre up/down and hwaddr options for debian-ip. See
Fix event flood by ensuring we do not retry sending the event indefinitely to \ 
the Master of Masters.
Prevent _pygit2.GitError: error loading known_hosts with certain pygit2/libgit2 \ 
versions.
salt-ssh now supports state.sls_exists
Allows file.symlink to pass a string to cmd_check
Simplied and sped up utils.json.find_json function
Improved runtime performance of chocolatey.installed
Add check for vault in opts var
Fixed user.present not having capability to persist home directory by adding \ 
persist_home flag.
Fixed pkg.installed state from showing warning if python rpm package not \ 
installed. Fixed pkg.installed state from showing warning and using slow process \ 
fork for version comparison when rpmdevtools is installed
Update pre-commit version used in github workflows to 4.3.0
Fixed issue with network grains in interfaces that don't support ip4 or ip6
Patch tornado for BDSA-2024-3438
Patch tornado for BDSA-2024-3439
Patch tornado for BDSA-2025-4215
Patch tornado for BDSA-2024-9026
Update LZMA to 5.8.2
Update ncurses to 6.5
Update openssl to 3.5.4
Fix shebang creating to work with pip >=25.2
Fix python source hash checking
Update to recent python versions: 3.12.12, 3.11.14, 3.10.19 and 3.9.24.
Fixed the lgpo_reg error when reading REG_BINARY type data in the registry.pol file.
Fix gnupghome directory translation for some versions of git for windows, e.g. \ 
2.51.0.windows.2
Fix leak in SaltMessageServer where the unpacker was re-used on a stream disconnect.
Upgrade relenv to 0.21.2:
We refresh the ensurepip bundle during every build so new runtimes ship with \ 
pip 25.2 and setuptools 80.9.0.
Windows builds now pull newer SQLite (3.50.4.0) and XZ (5.6.2) sources, copy in \ 
a missing XZ config file, and tweak SBOM metadata; the libexpat update is \ 
prepared but only runs on older maintenance releases.
Our downloader helpers log more clearly, know about more archive formats, and \ 
retry cleanly on transient errors.
pip’s changing install API is handled by runtime wrappers that adapt to all of \ 
the current signatures.
Linux verification tests install pip 25.2/25.3 before building setuptools to \ 
make sure that flow keeps working.
salt/utils/odict.py has been deprecated and will be removed in 3009. Use the \ 
standard library implementation instead.
Fixed issue in cmd execution module that always return "Invalid user" \ 
for domain users.
Fixed authentication protocol version downgrade vulnerability (CVE-2025-62349) \ 
by adding minimum_auth_version configuration option (default: 3) to prevent \ 
minions from bypassing security features through protocol downgrade attacks.
BREAKING CHANGE: The default value enforces authentication protocol version 3 or \ 
higher. If upgrading a deployment with older minions that do not support \ 
protocol v3, you must temporarily set minimum_auth_version: 0 in the master \ 
configuration before upgrading the master, then upgrade all minions before \ 
removing this override.
Fixed unsafe YAML loader usage in junos execution module (CVE-2025-62348)

Log message:
salt: CHECK_WRKREF_SKIP fix.

Log message:
*: remove reference to (removed) Python 3.9

Log message:
salt salt-docs: updated to 3007.5
3007.5
FIXED
Zeromq RequestServer continues to serve requests after encountering an \ 
un-handled exception
Added support for icmpv6-type to salt.modules.nftables
3007.4
FIXED
CVE-2024-38822 Multiple methods in the salt master skip minion token validation. \ 
Therefore a misbehaving minion can impersonate another minion.
CVSS 2.7 V:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2024-38823 Salt's request server is vulnerable to replay attacks when not \ 
using a TLS encrypted transport.
CVSS Score 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2024-38824 Directory traversal vulnerability in recv_file method allows \ 
arbitrary files to be written to the master cache directory.
CVSS Score 9.6 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2024-38825 The salt.auth.pki module does not properly authenticate callers. \ 
The "password" field contains a public certificate which is validated \ 
against a CA certificate by the module. This is not pki authentication, as the \ 
caller does not need access to the corresponding private key for the \ 
authentication attempt to be accepted.
CVSS Score 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVE-2025-22236 Minion event bus authorization bypass. An attacker with access to \ 
a minion key can craft a message which may be able to execute a job on other \ 
minions (>= 3007.0).
CVSS 8.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
CVE-2025-22237 An attacker with access to a minion key can exploit the 'on \ 
demand' pillar functionality with a specially crafted git url which could cause \ 
and arbitrary command to be run on the master with the same privileges as the \ 
master process.
CVSS 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2025-22238 Directory traversal attack in minion file cache creation. The \ 
master's default cache is vulnerable to a directory traversal attack. Which \ 
could be leveraged to write or overwrite 'cache' files outside of the cache \ 
directory.
CVSS 4.2 AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CVE-2025-22239 Arbitrary event injection on Salt Master. The master's \ 
"_minion_event" method can be used by and authorized minion to send \ 
arbitrary events onto the master's event bus.
CVSS 8.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
CVE-2025-22240 Arbitrary directory creation or file deletion. In the find_file \ 
method of the GitFS class, a path is created using os.path.join using \ 
unvalidated input from the “tgt_env” variable. This can be exploited by an \ 
attacker to delete any file on the Master's process has permissions to
CVSS 6.3 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2025-22241 File contents overwrite the VirtKey class is called when \ 
“on-demand pillar” data is requested and uses un-validated input to create \ 
paths to the “pki directory”. The functionality is used to auto-accept \ 
Minion authentication keys based on a pre-placed “authorization file” at a \ 
specific location and is present in the default configuration.
CVSS 5.6 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
CVE-2025-22242 Worker process denial of service through file read operation. .A \ 
vulnerability exists in the Master's “pub_ret” method which is exposed to \ 
all minions. The un-sanitized input value “jid” is used to construct a path \ 
which is then opened for reading. An attacker could exploit this vulnerabilities \ 
by attempting to read from a filename that will not return any data, e.g. by \ 
targeting a pipe node on the proc file system.
CVSS 5.6 AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:H
This release also includes sqlite 3.50.1 to address CVE-2025-29087

Log message:
salt: adapt for setuptools 78
Bump PKGREVISION.

Log message:
salt salt-docs: updated to 3007.1
3007.1
REMOVED
The salt.utils.psutil_compat was deprecated and now removed in Salt 3008. Please \ 
use the psutil module directly.
FIXED
Fixes multiple issues with the cmd module on Windows. Scripts are called using \ 
the -File parameter to the powershell.exe binary. CLIXML data in stderr is now \ 
removed (only applies to encoded commands). Commands can now be sent to \ 
cmd.powershell as a list. Makes sure JSON data returned is valid. Strips \ 
whitespace from the return when using runas.
Fixed the win_lgpo_netsh salt util to handle non-English systems. This was a \ 
rewrite to use PowerShell instead of netsh to make the changes on the system
Fix typo in nftables module to ensure unique nft family values
Corrected x509_v2 CRL creation last_update and next_update values when system \ 
timezone is not UTC
Fix for NoneType can't be used in 'await' expression error.
Log "Publish server binding pub to" messages to debug instead of error \ 
level.
Fix syndic startup by making payload handler a coroutine
Fixed aptpkg.remove "unable to locate package" error for non-existent \ 
package
Fixed pillar.ls doesn't accept kwargs
Fix cache directory setting in Master Cluster tutorial
Change log level of successful master cluster key exchange from error to info.
Made file.managed skip download of a remote source if the managed file already \ 
exists with the correct hash
Fixed nftables.build_rule breaks ipv6 rules by using the wrong syntax for source \ 
and destination addresses
ADDED
Added the ability to pass a version of chocolatey to install to the \ 
chocolatey.bootstrap function. Also added states to bootstrap and unbootstrap \ 
chocolatey.
Add Ubuntu 24.04 support
Add Fedora 40 support, replacing Fedora 39
SECURITY
Bump to pydantic==2.6.4 due to https://github.com/advisories/GHSA-mr82-8j83-vxmv
Bump to jinja2==3.1.4 due to https://github.com/advisories/GHSA-h75v-3vvj-5mfj

Log message:
salt: Spell PYTHON_VERSIONS_ACCEPTED correctly.