Salt 2015.5.8 Release Notes¶

Security Fix¶

CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions

This affects users of the state.sls function. The state run cache on the minion was being created with incorrect permissions. This file could potentially contain sensitive data that was inserted via jinja into the state SLS files. The permissions for this file are now being set correctly. Thanks to @zmalone for bringing this issue to our attention.

Changes¶

Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):

Generated at: 2015-11-23T23:16:23Z

Total Merges: 118

Changes:

PR #29128: (cachedout) Set a safer default value for ret in saltmod
PR #29122: (cachedout) Fix broken state orchestration
PR #29096: (rallytime) Back-port #29093 to 2015.5
PR #29084: (rallytime) Back-port #29055 to 2015.5
PR #29083: (rallytime) Back-port #29053 to 2015.5
PR #28932: (twangboy) Fixed user.present / user.absent in windows
PR #29011: (rallytime) Back-port #28630 to 2015.5
PR #28982: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5
PR #28949: (whiteinge) Add sync_sdb execution function
PR #28930: (twangboy) Added missing import mmap required by file.py
PR #28908: (rallytime) A couple of spelling fixes for doc conventions page.
PR #28902: (whiteinge) Fix missing JSON support for /keys endpoint
PR #28897: (rallytime) Back-port #28873 to 2015.5
PR #28871: (basepi) [2015.5] Fix command generation for mdadm.assemble
PR #28864: (jfindlay) add 2015.5.7 release notes
PR #28731: (garethgreenaway) Fixes to salt scheduler in 2015.5, ensuring that return_job is only used on minion scheduler
PR #28857: (rallytime) Back-port #28851 to 2015.5
PR #28856: (rallytime) Back-port #28853 to 2015.5
PR #28832: (basepi) [2015.5] Backport #28826
PR #28833: (basepi) [2015.5] Increase the default gather_job_timeout
PR #28829: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5
PR #28756: (MrCitron) Fix `#25775`_
PR #28786: (chrigl) closes `#28783`_
PR #28776: (rallytime) Back-port #28740 to 2015.5
PR #28760: (dmyerscough) Fixing CherryPy key bug
PR #28746: (rallytime) Back-port #28718 to 2015.5
PR #28705: (cachedout) Account for new headers class in tornado 4.3
PR #28699: (rallytime) Back-port #28670 to 2015.5
PR #28703: (rallytime) Back-port #28690 to 2015.5
PR #28694: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.09
PR #28669: (rallytime) Use the -q argument to strip extraneous messages from rabbitmq
PR #28645: (jacksontj) Rework minion return_retry_timer
PR #28668: (twangboy) Fixed join_domain and unjoin_domain for Windows
PR #28666: (jfindlay) define r_data before using it in file module
PR #28662: (cachedout) Add note about disabling master_alive_interval
PR #28627: (twangboy) Backport win_useradd
PR #28617: (cachedout) Set restrictive umask on module sync
PR #28622: (gravyboat) Update puppet module wording
PR #28563: (s0undt3ch) [2015.5] Update to latest bootstrap script v2015.11.04
PR #28541: (twangboy) Fixed problem with system.set_computer_name
PR #28537: (jfindlay) decode filename to utf-8 in file.recurse state
PR #28529: (rallytime) Update contributing and documentation pages to recommend submitting against branches
PR #28548: (nmadhok) [Backport] [2015.5] Tasks can be in queued state instead of running
PR #28531: (rallytime) Add versionadded directives to virtualenv_mod state/module
PR #28508: (twangboy) Fixed windows tests
PR #28525: (rallytime) Fix spacing in doc examples for boto_route53 state and module
PR #28517: (rallytime) Add state_auto_order defaults to True note to ordering docs
PR #28512: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5
PR #28448: (gwaters) added a note to the tutorial for redhat derivatives
PR #28406: (rallytime) Back-port #28381 to 2015.5
PR #28413: (rallytime) Back-port #28400 to 2015.5
PR #28366: (erchn) mark repo not enabled when pkgrepo state passes in disable: True
PR #28373: (beverlcl) Fixing bug `#28372`_ for use_carrier option on bonding network interfaces.
PR #28359: (rallytime) Back-port #28358 to 2015.5
PR #28346: (twangboy) Fix installer
PR #28315: (gwaters) Adding a working example of setting pillar data on the cli
PR #28211: (terminalmage) Fix for ext_pillar being compiled twice in legacy git_pillar code (2015.5 branch)
PR #28263: (cachedout) New channel for event.send
PR #28293: (cachedout) Minor grammar changes
PR #28271: (gwaters) Update tutorial documentation
PR #28280: (0xf10e) Correct Jinja function load_* to import_*
PR #28255: (cachedout) Add __cli opt
PR #28213: (rallytime) If record returned None, don't continue with the state. Something went wrong
PR #28238: (basepi) [2015.5] Fix schedule.present always diffing
PR #28174: (lorengordon) Add support for multiline regex in file.replace
PR #28175: (twangboy) Fixes `#19673`_
PR #28140: (rallytime) Add OpenBSD installation documentation to 2015.5 branch
PR #28138: (rallytime) Back-port #28130 EC2 Sizes Only portion to 2015.5
PR #28097: (jacksontj) For all multi-part messages, check the headers. If the header is not …
PR #28117: (rallytime) Clean up stacktrace when master can't be reached in lxc cloud driver
PR #28110: (terminalmage) Add explanation of file_client: local setting masterless mode
PR #28109: (rallytime) Add created reactor event to lxc cloud driver
PR #27996: (rallytime) Don't fail if pip package is already present and pip1 is installed
PR #28056: (rallytime) Back-port #28033 to 2015.5
PR #28059: (rallytime) Back-port #28040 to 2015.5
PR #28047: (cachedout) Restore FTP functionality to file client
PR #28032: (twangboy) Fixed win_path.py
PR #28037: (rallytime) Back-port #28003 to 2015.5
PR #28031: (jacobhammons) Updated release notes with additional CVE information
PR #28008: (jfindlay) platform independent line endings in hosts mod
PR #28012: (rallytime) Clean up stack trace when something goes wrong with minion output
PR #27995: (jacobhammons) added link to grains security FAQ to targeting and pillar topics.
PR #27986: (jacobhammons) Changed current release to 5.6 and added CVE to release notes
PR #27913: (pass-by-value) Set default
PR #27876: (terminalmage) 2015.5 branch: Fix traceback when 2015.8 git ext_pillar config schema used
PR #27726: (jfindlay) deprecate hash_hostname in favor of hash_known_hosts
PR #27776: (jfindlay) return message when local jobs_cache not found
PR #27766: (jfindlay) better check for debian userdel error
PR #27758: (iggy) Remove redundant text from syslog returner
PR #27841: (terminalmage) Detect Manjaro Linux as Arch derivative
PR #27852: (rallytime) Back-port #27806 to 2015.5
PR #27838: (basepi) [2015.5] Fix highstate outputter for jobs.lookup_jid
PR #27791: (eguven) 2015.5 postgres_user groups backport
PR #27759: (basepi) [2015.5] Merge forward from 2014.7 to 2015.5
PR #27732: (jacobhammons) update docs for __virtual__ and __virtualname__
PR #27747: (Sacro) Chocolatey doesn't have a help command.
PR #27733: (jacobhammons) hardening topic - updates to docs.saltstack.com theme
PR #27706: (jacobhammons) Assorted doc bugs
PR #27695: (rallytime) Back-port #27671 to 2015.5
PR #27524: (jfindlay) parse pkgng output in quiet mode for >= 1.6.1
PR #27686: (rallytime) Back-port #27476 to 2015.5
PR #27684: (rallytime) Back-port #27656 to 2015.5
PR #27683: (rallytime) Back-port #27659 to 2015.5
PR #27682: (rallytime) Back-port #27566 to 2015.5
PR #27681: (rallytime) Back-port #25928 to 2015.5
PR #27680: (rallytime) Back-port #27535 to 2015.5
PR #27442: (JaseFace) Ensure we pass on the enable setting if present, or use the default of True if not in build_schedule_item()
PR #27641: (rallytime) Gate the psutil import and add depends doc for diskusage beacon
PR #27644: (rallytime) Back-port #27640 to 2015.5
PR #27612: (rallytime) Fix GCE external_ip stacktraces in 2015.5
PR #27568: (jacobhammons) regenerated man pages