pool/salt
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

5 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Alexander Graul
ec1df51782 Add fixes for several security vulnerabilities 
- Add minimum_auth_version to enforce security (CVE-2025-62349)
- Backport security fixes for vendored tornado
  * BDSA-2024-3438
  * BDSA-2024-3439
  * BDSA-2024-9026
- Junos module yaml loader fix (CVE-2025-62348)
 2025-11-26 11:58:50 +01:00
Marek Czernek
02bd353512 fix requires 2025-11-13 15:07:24 +01:00
Marek Czernek
1aa96b2910 Fix chlog 2025-11-12 13:25:46 +01:00
Marek Czernek
b79fb92f33 Prepare for release 2025-11-12 09:20:44 +01:00
Adrian Schröter
700654fb5f Sync changes to SLFO-1.2 branch 2025-08-20 13:20:06 +02:00
13 changed files with 9916 additions and 499 deletions
Expand all files Collapse all files

2
_lastrevision
View File

@@ -1 +1 @@
3084db7285ade6f5552ea3e79c11d57a17a6b529
e4002cf44a559c382f3ff4ff821562b8f281dad5

2
_service
View File

@@ -3,7 +3,7 @@
<param name="url">https://github.com/openSUSE/salt-packaging.git</param>
<param name="subdir">salt</param>
<param name="filename">package</param>
<param name="revision">release/3006.0</param>
<param name="revision">MU/5.0.6</param>
<param name="scm">git</param>
</service>
<service name="extract_file" mode="disabled">

26
add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch Normal file
View File

@@ -0,0 +1,26 @@
From ea87110248948eb61628cda607ae1af34e83fdfe Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Wed, 1 Oct 2025 14:19:27 +0200
Subject: [PATCH] Add python3.11 as preferable for salt-ssh to avoid
tests fails
---
salt/client/ssh/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
index 1d8426b7c2..bfb7d3d1d1 100644
--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
if [ -n "$DEBUG" ]
then set -x
fi
-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
for py_cmd in $PYTHON_CMDS
do
if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
--
2.51.0

76
allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch Normal file
View File

@@ -0,0 +1,76 @@
From 6a57e821f3e16981c01078dc7e928672a6f77b88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Mon, 6 Oct 2025 09:34:17 +0100
Subject: [PATCH] Allow libgit2 to guess sysdir homedir successfully
(bsc#1250520) (bsc#1227207) (#731)
* Allow libgit2 to guess sysdir homedir successfully
This prevents the generic error:
_pygit2.GitError: error loading known_hosts:
which is happening in certain pygit2/libgit2 versions
* Fix pygit2 unit test to check HOME is injected
---
salt/utils/gitfs.py | 19 ++++++++++++-------
tests/pytests/unit/utils/test_gitfs.py | 4 +++-
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/salt/utils/gitfs.py b/salt/utils/gitfs.py
index 2a8ecf1d0cb..d597c17b870 100644
--- a/salt/utils/gitfs.py
+++ b/salt/utils/gitfs.py
@@ -110,6 +110,15 @@ try:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
+ if "HOME" not in os.environ:
+ # Make sure $HOME env variable is set before importing pygit2 to prevent
+ # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
+ # The internal "git_sysdir__dirs" from libgit2, is initializated
+ # when importing pygit2. The $HOME env must be present to allow libgit2
+ # guessing function to successfully set the homedir in the initializated
+ # libgit2 stack.
+ # https://github.com/saltstack/salt/issues/64121
+ os.environ["HOME"] = os.path.expanduser("~")
import pygit2
PYGIT2_VERSION = Version(pygit2.__version__)
LIBGIT2_VERSION = Version(pygit2.LIBGIT2_VERSION)
@@ -1890,13 +1899,9 @@ class Pygit2(GitProvider):
"""
# https://github.com/libgit2/pygit2/issues/339
# https://github.com/libgit2/libgit2/issues/2122
- # https://github.com/saltstack/salt/issues/64121
- home = os.path.expanduser("~")
- if "HOME" not in os.environ:
- # Make sure $HOME env variable is set to prevent
- # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
- os.environ["HOME"] = home
- pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = home
+ pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = (
+ os.path.expanduser("~")
+ )
new = False
if not os.listdir(self._cachedir):
# Repo cachedir is empty, initialize a new repo there
diff --git a/tests/pytests/unit/utils/test_gitfs.py b/tests/pytests/unit/utils/test_gitfs.py
index baedd9fd708..4ab8e7735f0 100644
--- a/tests/pytests/unit/utils/test_gitfs.py
+++ b/tests/pytests/unit/utils/test_gitfs.py
@@ -251,7 +251,9 @@ def test_checkout_pygit2_with_home_env_unset(_prepare_provider):
provider.credentials = None
with patched_environ(__cleanup__=["HOME"]):
assert "HOME" not in os.environ
- provider.init_remote()
+ import importlib
+
+ importlib.reload(salt.utils.gitfs)
assert "HOME" in os.environ
--
2.51.0

1268
backport-3006.17-security-fixes-739.patch Normal file
View File

File diff suppressed because it is too large Load Diff

36
do-not-break-signature-verification-on-latest-m2cryp.patch Normal file
View File

@@ -0,0 +1,36 @@
From 002a58144563a15034f982b19ba851326535570a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Wed, 29 Oct 2025 10:30:58 +0000
Subject: [PATCH] Do not break signature verification on latest
M2Crypto versions (bsc#1251776)
---
salt/crypt.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/salt/crypt.py b/salt/crypt.py
index 981f633d51f..29fd159b48c 100644
--- a/salt/crypt.py
+++ b/salt/crypt.py
@@ -243,7 +243,7 @@ def sign_message(privkey_path, message, passphrase=None):
md = EVP.MessageDigest("sha1")
md.update(salt.utils.stringutils.to_bytes(message))
digest = md.final()
- return key.sign(digest)
+ return key.sign(digest, algo="sha1")
else:
signer = PKCS1_v1_5.new(key)
return signer.sign(SHA.new(salt.utils.stringutils.to_bytes(message)))
@@ -262,7 +262,7 @@ def verify_signature(pubkey_path, message, signature):
md.update(salt.utils.stringutils.to_bytes(message))
digest = md.final()
try:
- return pubkey.verify(digest, signature)
+ return pubkey.verify(digest, signature, algo="sha1")
except RSA.RSAError as exc:
log.debug("Signature verification failed: %s", exc.args[0])
return False
--
2.51.1

65
even-more-reliable-pillar-timeout-test.patch Normal file
View File

@@ -0,0 +1,65 @@
From dc3027bab4925228cacde00ae626bf651d0a0c3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Wed, 17 Sep 2025 09:56:44 +0200
Subject: [PATCH] Even more reliable pillar timeout test
* Even more reliable pillar timeout test
* Use sys.executable on test_pillar_timeout test
---------
Co-authored-by: Daniel A. Wozniak <dwozniak@vmware.com>
---
.../integration/minion/test_return_retries.py | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/tests/pytests/integration/minion/test_return_retries.py b/tests/pytests/integration/minion/test_return_retries.py
index 45dea9c4c76..9b71bed58c5 100644
--- a/tests/pytests/integration/minion/test_return_retries.py
+++ b/tests/pytests/integration/minion/test_return_retries.py
@@ -5,6 +5,7 @@ import pytest
from saltfactories.utils import random_string
from tests.support.helpers import dedent
+import salt.utils.files
@pytest.fixture(scope="function")
@@ -57,14 +58,13 @@ def test_publish_retry(salt_master, salt_minion_retry, salt_cli, salt_run_cli):
@pytest.mark.slow_test
@pytest.mark.flaky(max_runs=4)
-def test_pillar_timeout(salt_master_factory):
- cmd = (
- sys.executable
- + ' -c "import time; time.sleep(4.8); print(\'{\\"foo\\": \\"bar\\"}\');"'
- ).strip()
+def test_pillar_timeout(salt_master_factory, tmp_path):
+ with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
+ fp.write('print(\'{"foo": "bar"}\');\n')
+
master_overrides = {
"ext_pillar": [
- {"cmd_json": cmd},
+ {"cmd_json": f"{sys.executable} {tmp_path / 'script.py'}"},
],
"auto_accept": True,
"worker_threads": 3,
@@ -110,7 +110,11 @@ def test_pillar_timeout(salt_master_factory):
sls_tempfile = master.state_tree.base.temp_file(
"{}.sls".format(sls_name), sls_contents
)
- with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), sls_tempfile:
+ with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), (
+ sls_tempfile
+ ):
+ with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
+ fp.write('import time; time.sleep(6); print(\'{"foo": "bang"}\');\n')
proc = cli.run("state.sls", sls_name, minion_tgt="*")
# At least one minion should have a Pillar timeout
print(proc)
--
2.51.0

6674
fix-salt-for-python-3.11.patch Normal file
View File

File diff suppressed because it is too large Load Diff

290
fix-tls-and-x509-modules-for-older-cryptography-modu.patch Normal file
View File

@@ -0,0 +1,290 @@
From 7f15657c26c4e5e9fabc72f4da2d9a91353d5d3a Mon Sep 17 00:00:00 2001
From: Marek Czernek <marek.czernek@suse.com>
Date: Tue, 11 Nov 2025 08:46:20 +0100
Subject: [PATCH] Fix tls and x509 modules for older cryptography
module (#737)
---
salt/modules/tls.py | 73 +++++++++++++++++-------
salt/modules/x509.py | 128 +++++++++++++++++++++++++++++++++++--------
2 files changed, 158 insertions(+), 43 deletions(-)
diff --git a/salt/modules/tls.py b/salt/modules/tls.py
index 9d29bd1e9b..4d7db87f93 100644
--- a/salt/modules/tls.py
+++ b/salt/modules/tls.py
@@ -104,6 +104,7 @@ import logging
import math
import os
import re
+import sys
import time
from datetime import datetime
@@ -1594,6 +1595,9 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
salt '*' tls.create_pkcs12 test localhost
"""
+ # Necessary for OSes with older cryptography module
+ compat_mode = sys.version_info < (3,12)
+
set_ca_path(cacert_path)
p12_path = f"{cert_base_path()}/{ca_name}/certs/{CN}.p12"
ca_cert_path = f"{cert_base_path()}/{ca_name}/{ca_name}_ca_cert.crt"
@@ -1605,7 +1609,12 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
try:
with salt.utils.files.fopen(ca_cert_path, "rb") as fhr:
- ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+ if compat_mode:
+ ca_cert = OpenSSL.crypto.load_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+ )
+ else:
+ ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
except OSError:
return 'There is no CA named "{}"'.format(ca_name)
except ValueError as e:
@@ -1613,34 +1622,58 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
try:
with salt.utils.files.fopen(cert_path, "rb") as fhr:
- cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+ if compat_mode:
+ cert = OpenSSL.crypto.load_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+ )
+ else:
+ cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
with salt.utils.files.fopen(priv_key_path, "rb") as fhr:
- key = cryptography_serialization.load_pem_private_key(
- fhr.read(),
- password=None,
- )
+ if compat_mode:
+ key = OpenSSL.crypto.load_privatekey(
+ OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+ )
+ else:
+ key = cryptography_serialization.load_pem_private_key(
+ fhr.read(),
+ password=None,
+ )
except OSError:
return 'There is no certificate that matches the CN "{}"'.format(CN)
except ValueError as e:
return f'Could not load certificate {cert_path}: {e}'
- if passphrase:
- encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
- salt.utils.stringutils.to_bytes(passphrase)
- )
+ if compat_mode:
+ pkcs12 = OpenSSL.crypto.PKCS12()
+
+ pkcs12.set_certificate(cert)
+ pkcs12.set_ca_certificates([ca_cert])
+ pkcs12.set_privatekey(key)
+
+ with salt.utils.files.fopen(
+ "{}/{}/certs/{}.p12".format(cert_base_path(), ca_name, CN), "wb"
+ ) as ofile:
+ ofile.write(
+ pkcs12.export(passphrase=salt.utils.stringutils.to_bytes(passphrase))
+ )
else:
- encryption_algorithm = cryptography_serialization.NoEncryption()
+ if passphrase:
+ encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
+ salt.utils.stringutils.to_bytes(passphrase)
+ )
+ else:
+ encryption_algorithm = cryptography_serialization.NoEncryption()
- pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
- name=salt.utils.stringutils.to_bytes(CN),
- key=key,
- cert=cert,
- cas=[ca_cert],
- encryption_algorithm=encryption_algorithm,
- )
+ pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
+ name=salt.utils.stringutils.to_bytes(CN),
+ key=key,
+ cert=cert,
+ cas=[ca_cert],
+ encryption_algorithm=encryption_algorithm,
+ )
- with salt.utils.files.fopen(p12_path, "wb") as ofile:
- ofile.write(pkcs12)
+ with salt.utils.files.fopen(p12_path, "wb") as ofile:
+ ofile.write(pkcs12)
return 'Created PKCS#12 Certificate for "{0}": "{1}/{2}/certs/{0}.p12"'.format(
CN,
diff --git a/salt/modules/x509.py b/salt/modules/x509.py
index 164541fc76..373e394856 100644
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@@ -32,16 +32,20 @@ import tempfile
import salt.exceptions
import salt.utils.data
-import salt.utils.dictupdate
import salt.utils.files
import salt.utils.path
import salt.utils.platform
import salt.utils.stringutils
import salt.utils.versions
-import salt.utils.x509 as x509util
from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
from salt.utils.odict import OrderedDict
+# Necessary for OSes with older cryptography module
+COMPAT_MODE = sys.version_info < (3,12)
+if not COMPAT_MODE:
+ import salt.utils.dictupdate
+ import salt.utils.x509 as x509util
+
try:
import M2Crypto
@@ -988,35 +992,113 @@ def create_crl(
if revoked is None:
revoked = []
+ if COMPAT_MODE:
+ crl = OpenSSL.crypto.CRL()
+ for rev_item in revoked:
+ if "certificate" in rev_item:
+ rev_cert = read_certificate(rev_item["certificate"])
+ rev_item["serial_number"] = rev_cert["Serial Number"]
+ rev_item["not_after"] = rev_cert["Not After"]
- for rev_item in revoked:
- if "reason" in rev_item:
- salt.utils.dictupdate.set_dict_key_value(
- rev_item, "extensions:CRLReason", rev_item["reason"]
+ serial_number = rev_item["serial_number"].replace(":", "")
+ # OpenSSL bindings requires this to be a non-unicode string
+ serial_number = salt.utils.stringutils.to_bytes(serial_number)
+
+ if "not_after" in rev_item and not include_expired:
+ not_after = datetime.datetime.strptime(
+ rev_item["not_after"], "%Y-%m-%d %H:%M:%S"
+ )
+ if datetime.datetime.now() > not_after:
+ continue
+
+ if "revocation_date" not in rev_item:
+ rev_item["revocation_date"] = datetime.datetime.now().strftime(
+ "%Y-%m-%d %H:%M:%S"
+ )
+
+ rev_date = datetime.datetime.strptime(
+ rev_item["revocation_date"], "%Y-%m-%d %H:%M:%S"
)
+ rev_date = rev_date.strftime("%Y%m%d%H%M%SZ")
+ rev_date = salt.utils.stringutils.to_bytes(rev_date)
- builder, private_key_obj = x509util.build_crl(
- signing_private_key=signing_private_key,
- signing_private_key_passphrase=signing_private_key_passphrase,
- include_expired=include_expired,
- revoked=revoked,
- signing_cert=signing_cert,
- days_valid=days_valid,
- )
+ rev = OpenSSL.crypto.Revoked()
+ rev.set_serial(salt.utils.stringutils.to_bytes(serial_number))
+ rev.set_rev_date(salt.utils.stringutils.to_bytes(rev_date))
+
+ if "reason" in rev_item:
+ # Same here for OpenSSL bindings and non-unicode strings
+ reason = salt.utils.stringutils.to_bytes(rev_item["reason"])
+ rev.set_reason(reason)
+
+ crl.add_revoked(rev)
+
+ signing_cert = _text_or_file(signing_cert)
+ cert = OpenSSL.crypto.load_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_cert, pem_type="CERTIFICATE")
+ )
+ signing_private_key = _get_private_key_obj(
+ signing_private_key, passphrase=signing_private_key_passphrase
+ ).as_pem(cipher=None)
+ key = OpenSSL.crypto.load_privatekey(
+ OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_private_key)
+ )
+
+ export_kwargs = {
+ "cert": cert,
+ "key": key,
+ "type": OpenSSL.crypto.FILETYPE_PEM,
+ "days": days_valid,
+ }
+ if digest:
+ export_kwargs["digest"] = salt.utils.stringutils.to_bytes(digest)
+ else:
+ log.warning("No digest specified. The default md5 digest will be used.")
+
+ try:
+ crltext = crl.export(**export_kwargs)
+ except (TypeError, ValueError):
+ log.warning(
+ "Error signing crl with specified digest. Are you using "
+ "pyopenssl 0.15 or newer? The default md5 digest will be used."
+ )
+ export_kwargs.pop("digest", None)
+ crltext = crl.export(**export_kwargs)
+
+ if text:
+ return crltext
+
+ return write_pem(text=crltext, path=path, pem_type="X509 CRL")
- if digest:
- hashing_algorithm = x509util.get_hashing_algorithm(digest)
else:
- log.warning("No digest specified. The default md5 digest will be used.")
- hashing_algorithm = x509util.get_hashing_algorithm("MD5")
+ for rev_item in revoked:
+ if "reason" in rev_item:
+ salt.utils.dictupdate.set_dict_key_value(
+ rev_item, "extensions:CRLReason", rev_item["reason"]
+ )
- crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
- crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
+ builder, private_key_obj = x509util.build_crl(
+ signing_private_key=signing_private_key,
+ signing_private_key_passphrase=signing_private_key_passphrase,
+ include_expired=include_expired,
+ revoked=revoked,
+ signing_cert=signing_cert,
+ days_valid=days_valid,
+ )
- if text:
- return crl_bytes.decode()
+ if digest:
+ hashing_algorithm = x509util.get_hashing_algorithm(digest)
+ else:
+ log.warning("No digest specified. The default md5 digest will be used.")
+ hashing_algorithm = x509util.get_hashing_algorithm("MD5")
- return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
+ crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
+ crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
+
+ if text:
+ return crl_bytes.decode()
+
+ return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
def sign_remote_certificate(argdic, **kwargs):
--
2.51.1

1209
modify-readme-for-opensuse-728.patch Normal file
View File

File diff suppressed because it is too large Load Diff

676
salt.changes
View File

@@ -1,18 +1,66 @@
-------------------------------------------------------------------
Mon Aug 11 13:57:29 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
Wed Nov 26 10:58:23 UTC 2025 - Alexander Graul <alexander.graul@suse.com>
- Add minimum_auth_version to enforce security (CVE-2025-62349)
- Backport security fixes for vendored tornado
* BDSA-2024-3438
* BDSA-2024-3439
* BDSA-2024-9026
- Junos module yaml loader fix (CVE-2025-62348)
- Added:
* backport-3006.17-security-fixes-739.patch
-------------------------------------------------------------------
Thu Nov 13 14:06:48 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Require Python dependencies only for used Python version
-------------------------------------------------------------------
Tue Nov 11 16:11:17 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Fix TLS and x509 modules for OSes with older cryptography module
- Require python-legacy-cgi only for Python > 3.12
- Builds with py >=3.13 require python-legacy-cgi
- Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
* Use external tornado on Python > 3.11
* Make tls and x509 to use python-cryptography
* Remove usage of spwd
- Added:
* fix-tls-and-x509-modules-for-older-cryptography-modu.patch
* fix-salt-for-python-3.11.patch
-------------------------------------------------------------------
Wed Nov 5 14:54:20 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Fix payload signature verification on Tumbleweed (bsc#1251776)
- Fix broken symlink on migration to Leap 16.0 (bsc#1250755)
- Use versioned python interpreter for salt-ssh
- Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
- Add python3.11 as preferable for salt-ssh to avoid tests fails
- Make test_pillar_timeout test more reliable
- Modify README and other doc files for openSUSE
- Set python-CherryPy as required for python-salt-testsuite (#115)
- Revert require M2Crypto >= 0.44.0 for SUSE Family distros
- This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d.
- Improve SL Micro 6.2 detection with grains
- Fix functional.states.test_user for SLES 16 and Micro systems
- Fix the tests failing on AlmaLinux 10 and other clones
- Added:
* do-not-break-signature-verification-on-latest-m2cryp.patch
* use-versioned-python-interpreter-for-salt-ssh.patch
* allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
* add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
* even-more-reliable-pillar-timeout-test.patch
* modify-readme-for-opensuse-728.patch
* improve-sl-micro-6.2-detection-with-grains.patch
* fix-functional.states.test_user-for-sles-16-and-micr.patch
* fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
-------------------------------------------------------------------
Fri Jul 4 07:55:28 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
Fri Jul 4 10:58:04 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
- Add `minion_legacy_req_warnings` option to avoid noisy warnings
- Require M2Crypto >= 0.44.0 for SUSE Family distros
@@ -21,16 +69,9 @@ Fri Jul 4 07:55:28 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
* add-minion_legacy_req_warnings-option-to-avoid-noisy.patch
-------------------------------------------------------------------
Fri Jun 27 14:42:17 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
Tue Jul 1 15:15:52 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Prevent tests failures when pygit2 is not present
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
-------------------------------------------------------------------
Thu Jun 26 09:44:59 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Several fixes for security issues
(bsc#1244561, CVE-2024-38822)
(bsc#1244564, CVE-2024-38823)
@@ -43,7 +84,6 @@ Thu Jun 26 09:44:59 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@s
(bsc#1244572, CVE-2025-22238)
(bsc#1244574, CVE-2025-22239)
(bsc#1244575, CVE-2025-22242)
* Request server hardening
* Prevent traversal in local_cache::save_minions
* Add test and fix for file_recv cve
@@ -55,119 +95,43 @@ Thu Jun 26 09:44:59 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@s
* Remove token to prevent decoding errors
* Fix checking of non-url style git remotes
* Allow subdirs in GitFS find_file check
- Added:
* several-fixes-for-security-issues.patch
-------------------------------------------------------------------
Wed Jun 11 11:03:32 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Add subsystem filter to udev.exportdb (bsc#1236621)
- tornado.httputil: raise errors instead of logging in
multipart/form-data parsing (CVE-2025-47287, bsc#1243268)
- Fix Ubuntu 24.04 edge-case test failures
- Fix broken tests for Ubuntu 24.04
- Fix refresh of osrelease and related grains on Python 3.10+
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies and recommended package
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
* several-fixes-for-security-issues.patch
* add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch
* fix-of-cve-2025-47287-bsc-1243268-718.patch
-------------------------------------------------------------------
Tue May 27 08:26:18 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Fix Ubuntu 24.04 edge-case test failures
- Added:
* fix-ubuntu-24.04-specific-failures-716.patch
-------------------------------------------------------------------
Mon May 19 08:53:44 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Fix broken tests for Ubuntu 24.04
- Added:
* fix-debian-tests-715.patch
-------------------------------------------------------------------
Wed Apr 2 15:40:46 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix refresh of osrelease and related grains on Python 3.10+
- Added:
* fix-refresh-of-osrelease-and-related-grains-on-pytho.patch
-------------------------------------------------------------------
Thu Mar 27 15:27:34 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Small refactor on the spec file
-------------------------------------------------------------------
Tue Mar 25 10:17:35 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies
and recommended package.
- Do not build "python3-salt" anymore for SLE15SP7+
-------------------------------------------------------------------
Wed Mar 12 13:38:35 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
Wed Mar 19 12:02:41 UTC 2025 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix aptpkg 'NoneType object has no attribute split' error
- Added:
* fix-deb822-nonetype-object-has-no-attribute-split-71.patch
-------------------------------------------------------------------
Mon Mar 10 13:47:55 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
- Detect openEuler as RedHat family OS
- Ensure the correct crypt module is loaded
- Implement multiple inventory for ansible.targets
- Make x509 module compatible with M2Crypto 0.44.0
- Remove deprecated code from x509.certificate_managed test mode
- Move logrotate config to /usr/etc/logrotate.d where possible
- Added:
* detect-openeuler-as-redhat-family-os.patch
* ensure-the-correct-crypt-module-is-loaded.patch
* implement-multiple-inventory-for-ansible.targets.patch
* make-x509-module-compatible-with-m2crypto-0.44.0.patch
* remove-deprecated-code-from-x509.certificate_managed.patch
-------------------------------------------------------------------
Mon Mar 10 09:34:28 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
- Add DEB822 apt repository format support
- Make Salt-SSH work with all SSH passwords (bsc#1215484)
- Added:
* add-deb822-apt-source-format-support-692.patch
* remove-password-from-shell-after-functional-text-mat.patch
-------------------------------------------------------------------
Mon Feb 24 16:17:55 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Fix issue of using update-alternatives with alts
-------------------------------------------------------------------
Fri Feb 21 12:46:01 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Fix issue of using update-alternatives with alts (#105)
- Fix virt_query outputter and add support for block devices
- Make _auth calls visible with master stats
- Repair mount.fstab_present always returning pending changes
- Set virtual grain in Podman systemd container
- Fix crash due wrong client reference on `SaltMakoTemplateLookup`
- Enhace batch async and fix some detected issues
- Added:
* repair-virt_query-outputter-655.patch
* make-_auth-calls-visible-with-master-stats-696.patch
* repair-fstab_present-test-mode-702.patch
* set-virtual-grain-in-podman-systemd-container-703.patch
* fixed-file-client-private-attribute-reference-on-sal.patch
* backport-batch-async-fixes-and-improvements-701.patch
-------------------------------------------------------------------
Wed Feb 19 16:06:43 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Enhacement of Salt packaging
* Use update-alternatives for all salt scripts
* Use flexible dependencies for the subpackages
@@ -176,243 +140,107 @@ Wed Feb 19 16:06:43 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.c
* Drop unused yumnotify plugin
* Add dependency to python3-dnf-plugins-core for RHEL based
- Fix tests failures after "repo.saltproject.io" deprecation
- Added:
* fix-tests-failures-after-repo.saltproject.io-depreca.patch
-------------------------------------------------------------------
Wed Jan 29 10:34:28 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Fix error to stat '/root/.gitconfig' on gitfs
(bsc#1230944) (bsc#1234881) (bsc#1220905)
- Added:
* fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch
-------------------------------------------------------------------
Mon Jan 27 11:04:02 UTC 2025 - Alexander Graul <alexander.graul@suse.com>
- Adapt to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642)
- Added:
* update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch
-------------------------------------------------------------------
Thu Jan 23 16:44:42 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Enhance smart JSON parsing when garbage is present (bsc#1231605)
- Added:
* enhance-find_json-garbage-filtering-bsc-1231605-688.patch
-------------------------------------------------------------------
Wed Jan 22 13:11:21 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Fix virtual grains for VMs running on Nutanix AHV (bsc#1234022)
- Fix issues running on Python 3.12 and 3.13
- Added:
* fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch
* fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch
-------------------------------------------------------------------
Thu Jan 9 12:57:12 UTC 2025 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Revert setting SELinux context for minion service (bsc#1233667)
- Remove System V init support
* Make systemd the only supported init system by removing System V init
and insserv references
* Ensure package builds with no init system dependencies if built
without systemd (for example for use in containers)
* Apply some spec-cleaner suggestions (update copyright year, sort
requirements, adjust spacing)
- Added:
* revert-setting-selinux-context-for-minion-service-bs.patch
-------------------------------------------------------------------
Tue Nov 26 14:53:34 UTC 2024 - Victor Zhestkov <vzhestkov@suse.com>
* Make systemd the only supported init system by removing System V init
and insserv references
* Ensure package builds with no init system dependencies if built
without systemd (for example for use in containers)
* Apply some spec-cleaner suggestions (update copyright year, sort
requirements, adjust spacing)
- Fix the condition of alternatives for Tumbleweed and Leap 16
- Use update-alternatives for salt-call and fix builing on EL8
- Build all python bindings for all flavors
- Make minion reconnecting on changing master IP (bsc#1228182)
- Added:
* make-minion-reconnecting-on-changing-master-ip-bsc-1.patch
-------------------------------------------------------------------
Thu Oct 17 14:02:57 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Handle logger exception when flushing already closed file
- Include passlib as a recommended dependency
- Added:
* handle-logger-flushing-already-closed-file-686.patch
-------------------------------------------------------------------
Thu Oct 10 11:19:52 UTC 2024 - Pablo Suárez Hernández <psuarezhernandez@suse.com>
- Make Salt Bundle more tolerant to long running jobs (bsc#1228690)
- Added:
* enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch
-------------------------------------------------------------------
Thu Oct 3 11:21:30 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Fix additional x509 tests and test_suse tests for SLE12
- Added:
* fix-deb822-nonetype-object-has-no-attribute-split-71.patch
* detect-openeuler-as-redhat-family-os.patch
* ensure-the-correct-crypt-module-is-loaded.patch
* implement-multiple-inventory-for-ansible.targets.patch
* make-x509-module-compatible-with-m2crypto-0.44.0.patch
* remove-deprecated-code-from-x509.certificate_managed.patch
* add-deb822-apt-source-format-support-692.patch
* remove-password-from-shell-after-functional-text-mat.patch
* repair-virt_query-outputter-655.patch
* make-_auth-calls-visible-with-master-stats-696.patch
* repair-fstab_present-test-mode-702.patch
* set-virtual-grain-in-podman-systemd-container-703.patch
* fixed-file-client-private-attribute-reference-on-sal.patch
* backport-batch-async-fixes-and-improvements-701.patch
* fix-tests-failures-after-repo.saltproject.io-depreca.patch
* fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch
* update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch
* enhance-find_json-garbage-filtering-bsc-1231605-688.patch
* fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch
* fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch
* revert-setting-selinux-context-for-minion-service-bs.patch
* make-minion-reconnecting-on-changing-master-ip-bsc-1.patch
* handle-logger-flushing-already-closed-file-686.patch
* enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch
* fix-x509-private-key-tests-and-test_suse-on-sle12-68.patch
-------------------------------------------------------------------
Wed Oct 2 07:47:58 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
Wed Oct 2 12:09:33 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Fix failing x509 tests with OpenSSL < 1.1
- Added:
* fix-x509-test-fails-on-old-openssl-systems-682.patch
-------------------------------------------------------------------
Wed Sep 25 11:45:28 UTC 2024 - Victor Zhestkov <vzhestkov@suse.com>
- Avoid explicit reading of /etc/salt/minion (bsc#1220357)
- Allow NamedLoaderContexts to be returned from loader
- Revert the change making reactor less blocking (bsc#1230322)
- Use --cachedir for extension_modules in salt-call (bsc#1226141)
- Prevent using SyncWrapper with no reason
- Added:
* avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch
* allow-namedloadercontexts-to-be-returned-from-loader.patch
* revert-the-change-making-reactor-less-blocking-bsc-1.patch
* use-cachedir-for-extension_modules-in-salt-call-bsc-.patch
* prevent-using-syncwrapper-with-no-reason.patch
-------------------------------------------------------------------
Tue Sep 10 12:51:43 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix the SELinux context for Salt Minion service (bsc#1219041)
- Added:
* fix-the-selinux-context-for-salt-minion-service-bsc-.patch
-------------------------------------------------------------------
Wed Sep 4 12:23:53 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Set contextvars as a build requirement for package
-------------------------------------------------------------------
Wed Sep 4 11:38:07 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Increase warn_until_date date for code we still support
- The test_debian test now uses port 80 for ubuntu keyserver
- Fix too frequent systemd service restart in test_system test
- Added:
* fix-test_debian-to-work-in-our-infrastructure-676.patch
* fix-test_system-flaky-setup_teardown-fn.patch
* fix-deprecated-code-677.patch
-------------------------------------------------------------------
Fri Aug 30 14:42:00 UTC 2024 - Victor Zhestkov <vzhestkov@suse.com>
- Avoid crash on wrong output of systemctl version (bsc#1229539)
- Improve error handling with different OpenSSL versions
- Remove redundant run_func from salt.master.MWorker._handle_aes
- Added:
* avoid-crash-on-wrong-output-of-systemctl-version-bsc.patch
* improve-error-handling-with-different-openssl-versio.patch
* remove-redundant-run_func-from-salt.master.mworker._.patch
-------------------------------------------------------------------
Thu Aug 29 11:54:27 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Fix cloud minion configuration for multiple masters (bsc#1229109)
- Added:
* join-masters-if-it-is-a-list-671.patch
-------------------------------------------------------------------
Wed Aug 21 14:30:48 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Use Pygit2 id instead of deprecated oid in gitfs
- Added:
* replace-use-of-pygit2-deprecated-and-removed-1.15.0-.patch
-------------------------------------------------------------------
Wed Aug 7 09:45:18 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Fix few failing tests to work with both Salt and Salt bundle
- Skip testing unsupported OpenSSL crypto algorithms
- Added:
* make-tests-compatible-with-venv-bundle.patch
* skip-more-tests-related-to-old-openssl-algorithms.patch
* fix-the-selinux-context-for-salt-minion-service-bsc-.patch
* allow-namedloadercontexts-to-be-returned-from-loader.patch
* join-masters-if-it-is-a-list-671.patch
* remove-redundant-run_func-from-salt.master.mworker._.patch
* prevent-using-syncwrapper-with-no-reason.patch
* fix-test_debian-to-work-in-our-infrastructure-676.patch
* fix-x509-test-fails-on-old-openssl-systems-682.patch
* make-tests-compatible-with-venv-bundle.patch
* avoid-crash-on-wrong-output-of-systemctl-version-bsc.patch
* revert-the-change-making-reactor-less-blocking-bsc-1.patch
* avoid-explicit-reading-of-etc-salt-minion-bsc-122035.patch
* improve-error-handling-with-different-openssl-versio.patch
* replace-use-of-pygit2-deprecated-and-removed-1.15.0-.patch
* fix-test_system-flaky-setup_teardown-fn.patch
* use-cachedir-for-extension_modules-in-salt-call-bsc-.patch
* fix-deprecated-code-677.patch
-------------------------------------------------------------------
Wed Jul 24 10:12:25 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
Fri Aug 2 09:00:07 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Fix rich rule comparison in firewalld module (bsc#1222684)
- Added:
* firewalld-normalize-new-rich-rules-before-comparing-.patch
-------------------------------------------------------------------
Tue Jul 9 11:23:20 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- test_vultrpy: adjust test expectation to prevent failure after Debian 10 EOL
- Added:
* test_vultrpy-adjust-test-expectation-to-prevent-fail.patch
-------------------------------------------------------------------
Mon Jul 8 16:02:47 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Make auth.pam more robust with Salt Bundle and fix tests
- Added:
* some-more-small-tests-fixes-enhancements-661.patch
-------------------------------------------------------------------
Wed Jul 3 11:13:00 UTC 2024 - Flex Liu <fliu@suse.com>
- Fix performance of user.list_groups with many remote groups
(bsc#1226964)
- Added:
* fix-user.list_groups-omits-remote-groups.patch
-------------------------------------------------------------------
Tue Jun 18 15:00:44 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix "status.diskusage" function and exclude some tests for Salt Bundle
- Added:
* fix-status.diskusage-and-exclude-some-tests-to-run-w.patch
-------------------------------------------------------------------
Wed Jun 12 08:44:38 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Skip certain tests if necessary for some OSes and set flaky ones
- Added:
* skip-certain-tests-if-necessary-and-mark-some-flaky-.patch
-------------------------------------------------------------------
Thu Jun 6 08:41:14 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Add a timer to delete old env post update for venv-minion
- Added:
* provide-systemd-timer-unit.patch
-------------------------------------------------------------------
Mon May 27 11:07:26 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Several fixes for tests to avoid errors and failures in some OSes
- Speed up salt.matcher.confirm_top by using __context__
- Do not call the async wrapper calls with the separate thread
@@ -426,265 +254,116 @@ Mon May 27 11:07:26 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@s
- Improve broken events catching and reporting
- Make logging calls lighter
- Remove unused import causing delays on starting salt-master
- Added:
* improve-broken-events-catching-and-reporting.patch
* add-missing-contextvars-dependency-in-salt.version.patch
* prevent-oom-with-high-amount-of-batch-async-calls-bs.patch
* speed-up-salt.matcher.confirm_top-by-using-__context.patch
* remove-redundant-_file_find-call-to-the-master.patch
* make-logging-calls-lighter.patch
* make-salt-master-self-recoverable-on-killing-eventpu.patch
* skip-tests-for-unsupported-algorithm-on-old-openssl-.patch
* remove-unused-import-causing-delays-on-starting-salt.patch
* do-not-call-the-async-wrapper-calls-with-the-separat.patch
* prevent-possible-exception-in-tornado.concurrent.fut.patch
* several-fixes-for-tests-to-avoid-errors-and-failures.patch
* make-reactor-engine-less-blocking-the-eventpublisher.patch
-------------------------------------------------------------------
Mon May 13 15:26:19 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Mark python3-CherryPy as recommended package for the testsuite
-------------------------------------------------------------------
Tue May 7 15:55:56 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Make "man" a recommended package instead of required
- Added:
* provide-systemd-timer-unit.patch
* make-logging-calls-lighter.patch
* add-missing-contextvars-dependency-in-salt.version.patch
* prevent-oom-with-high-amount-of-batch-async-calls-bs.patch
* prevent-possible-exception-in-tornado.concurrent.fut.patch
* improve-broken-events-catching-and-reporting.patch
* skip-tests-for-unsupported-algorithm-on-old-openssl-.patch
* several-fixes-for-tests-to-avoid-errors-and-failures.patch
* fix-user.list_groups-omits-remote-groups.patch
* some-more-small-tests-fixes-enhancements-661.patch
* skip-certain-tests-if-necessary-and-mark-some-flaky-.patch
* firewalld-normalize-new-rich-rules-before-comparing-.patch
* remove-redundant-_file_find-call-to-the-master.patch
* fix-status.diskusage-and-exclude-some-tests-to-run-w.patch
* remove-unused-import-causing-delays-on-starting-salt.patch
* make-reactor-engine-less-blocking-the-eventpublisher.patch
* test_vultrpy-adjust-test-expectation-to-prevent-fail.patch
* speed-up-salt.matcher.confirm_top-by-using-__context.patch
* do-not-call-the-async-wrapper-calls-with-the-separat.patch
* make-salt-master-self-recoverable-on-killing-eventpu.patch
-------------------------------------------------------------------
Tue Mar 26 08:44:29 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
Tue Apr 16 15:32:23 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Convert oscap output to UTF-8
- Added:
* switch-oscap-encoding-to-utf-8-639.patch
-------------------------------------------------------------------
Thu Mar 21 13:14:03 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Make Salt compatible with Python 3.11
- Added:
* fix-salt-warnings-and-testuite-for-python-3.11-635.patch
-------------------------------------------------------------------
Fri Mar 15 10:00:35 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Ignore non-ascii chars in oscap output (bsc#1219001)
- Added:
* decode-oscap-byte-stream-to-string-bsc-1219001.patch
-------------------------------------------------------------------
Thu Mar 14 13:11:21 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix detected issues in Salt tests when running on VMs
- Make importing seco.range thread safe (bsc#1211649)
- Fix problematic tests and allow smooth tests executions on containers
- Discover Ansible playbook files as "*.yml" or "*.yaml" files (bsc#1211888)
- Provide user(salt)/group(salt) capabilities for RPM 4.19
- Extend dependencies for python3-salt-testsuite and python3-salt packages
- Improve Salt and testsuite packages multibuild
- Enable multibuilld and create test flavor
- Added:
* fix-tests-failures-and-errors-when-detected-on-vm-ex.patch
-------------------------------------------------------------------
Wed Mar 6 13:38:29 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Make importing seco.range thread safe (bsc#1211649)
- Added:
* decode-oscap-byte-stream-to-string-bsc-1219001.patch
* make-importing-seco.range-thread-safe-bsc-1211649.patch
-------------------------------------------------------------------
Mon Feb 26 10:43:37 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix problematic tests and allow smooth tests executions on containers
- Added:
* fix-problematic-tests-and-allow-smooth-tests-executi.patch
-------------------------------------------------------------------
Wed Feb 21 12:21:03 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Discover Ansible playbook files as "*.yml" or "*.yaml" files (bsc#1211888)
- Added:
* switch-oscap-encoding-to-utf-8-639.patch
* fix-salt-warnings-and-testuite-for-python-3.11-635.patch
* fix-problematic-tests-and-allow-smooth-tests-executi.patch
* discover-both-.yml-and-.yaml-playbooks-bsc-1211888.patch
-------------------------------------------------------------------
Tue Feb 20 12:58:58 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Extend dependencies for python3-salt-testsuite and python3-salt packages
- Improve Salt and testsuite packages multibuild
-------------------------------------------------------------------
Thu Feb 8 12:17:39 UTC 2024 - Yeray Gutiérrez Cedrés <yeray.gutierrez@suse.com>
- Enable multibuilld and create test flavor
- Additionally we require python-mock just for older Python versions.
-------------------------------------------------------------------
Mon Feb 5 09:55:33 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Rename salt-tests to python3-salt-testsuite
-------------------------------------------------------------------
Thu Feb 1 12:19:06 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
Thu Feb 1 14:48:40 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Prevent directory traversal when creating syndic cache directory
on the master (CVE-2024-22231, bsc#1219430)
- Prevent directory traversal attacks in the master's serve_file
method (CVE-2024-22232, bsc#1219431)
- Added:
* fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch
-------------------------------------------------------------------
Mon Jan 29 13:50:44 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Provide user(salt)/group(salt) capabilities for RPM 4.19
-------------------------------------------------------------------
Tue Jan 23 15:39:14 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Prevent exceptions with fileserver.update when called via state (bsc#1218482)
- Added:
* allow-kwargs-for-fileserver-roots-update-bsc-1218482.patch
-------------------------------------------------------------------
Thu Jan 18 16:10:04 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Improve pip target override condition with VENV_PIP_TARGET
environment variable (bsc#1216850)
- Fixed KeyError in logs when running a state that fails
- Added:
* improve-pip-target-override-condition-with-venv_pip_.patch
* fixed-keyerror-in-logs-when-running-a-state-that-fai.patch
-------------------------------------------------------------------
Thu Jan 18 13:06:21 UTC 2024 - Marek Czernek <marek.czernek@suse.com>
- Ensure that pillar refresh loads beacons from pillar without restart
- Fix the aptpkg.py unit test failure
- Prefer unittest.mock to python-mock in test suite
- Added:
* update-__pillar__-during-pillar_refresh.patch
* fix-the-aptpkg.py-unit-test-failure.patch
* prefer-unittest.mock-for-python-versions-that-are-su.patch
-------------------------------------------------------------------
Fri Dec 1 11:04:02 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649)
- Added:
* enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
-------------------------------------------------------------------
Thu Nov 16 10:33:00 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Revert changes to set Salt configured user early in the stack (bsc#1216284)
- Added:
* revert-make-sure-configured-user-is-properly-set-by-.patch
-------------------------------------------------------------------
Mon Nov 13 16:02:35 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Align behavior of some modules when using salt-call via symlink (bsc#1215963)
- Fix gitfs "__env__" and improve cache cleaning (bsc#1193948)
- Added:
* fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
* dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
-------------------------------------------------------------------
Tue Oct 31 11:51:17 UTC 2023 - Alexander Graul <alexander.graul@suse.com>
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157)
- Added:
* fix-cve-2023-34049-bsc-1215157.patch
-------------------------------------------------------------------
Tue Oct 17 15:28:22 UTC 2023 - Marek Czernek <marek.czernek@suse.com>
- Allow all primitive grain types for autosign_grains (bsc#1214477)
- Added:
* allow-all-primitive-grain-types-for-autosign_grains-.patch
-------------------------------------------------------------------
Mon Oct 2 12:49:41 UTC 2023 - Victor Zhestkov <vzhestkov@suse.com>
- Fix optimization_order opt to prevent testsuite fails
- Improve salt.utils.json.find_json to avoid fails
with transactional salt salt-ssh managed clients (bsc#1213293)
- Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
- Use salt-call from salt bundle with transactional_update
- Only call native_str on curl_debug message in tornado when needed
- Implement the calling for batch async from the salt CLI
- Fix calculation of SLS context vars when trailing dots
on targetted sls/state (bsc#1213518)
- Rename salt-tests to python3-salt-testsuite
- Added:
* implement-the-calling-for-batch-async-from-the-salt-.patch
* improve-salt.utils.json.find_json-bsc-1213293.patch
* only-call-native_str-on-curl_debug-message-in-tornad.patch
* enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
* allow-all-primitive-grain-types-for-autosign_grains-.patch
* fixed-keyerror-in-logs-when-running-a-state-that-fai.patch
* use-salt-call-from-salt-bundle-with-transactional_up.patch
* implement-the-calling-for-batch-async-from-the-salt-.patch
* fix-calculation-of-sls-context-vars-when-trailing-do.patch
* prefer-unittest.mock-for-python-versions-that-are-su.patch
* fix-cve-2023-34049-bsc-1215157.patch
* fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
* allow-kwargs-for-fileserver-roots-update-bsc-1218482.patch
* dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
* revert-make-sure-configured-user-is-properly-set-by-.patch
* fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch
* improve-pip-target-override-condition-with-venv_pip_.patch
* only-call-native_str-on-curl_debug-message-in-tornad.patch
* update-__pillar__-during-pillar_refresh.patch
* improve-salt.utils.json.find_json-bsc-1213293.patch
* fix-the-aptpkg.py-unit-test-failure.patch
* fix-optimization_order-opt-to-prevent-test-fails.patch
-------------------------------------------------------------------
Mon Oct 2 09:50:00 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix calculation of SLS context vars when trailing dots
on targetted sls/state (bsc#1213518)
- Added:
* fix-calculation-of-sls-context-vars-when-trailing-do.patch
-------------------------------------------------------------------
Wed Sep 20 12:17:44 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
Wed Sep 20 15:04:34 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix inconsistency in reported version by egg-info metadata (bsc#1215489)
- Added:
* write-salt-version-before-building-when-using-with-s.patch
-------------------------------------------------------------------
Fri Sep 1 07:33:18 UTC 2023 - Victor Zhestkov <vzhestkov@suse.com>
- Revert usage of long running REQ channel to prevent possible
missing responses on requests and dublicated responses
(bsc#1213960, bsc#1213630, bsc#1213257)
- Added:
* revert-usage-of-long-running-req-channel-bsc-1213960.patch
-------------------------------------------------------------------
Thu Aug 31 09:51:20 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix gitfs cachedir basename to avoid hash collisions
(bsc#1193948, bsc#1214797, CVE-2023-20898)
- Added:
* fixed-gitfs-cachedir_basename-to-avoid-hash-collisio.patch
-------------------------------------------------------------------
Tue Aug 22 12:03:21 UTC 2023 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Revert usage of long running REQ channel (bsc#1213960, bsc#1213630, bsc#1213257)
- Fix gitfs cachedir basename to avoid hash collisions (bsc#1193948, bsc#1214797, CVE-2023-20898)
- Make sure configured user is properly set by Salt (bsc#1210994)
- Do not fail on bad message pack message (bsc#1213441, CVE-2023-20897, bsc#1214796)
- Do not fail on bad message pack message (bsc#1213441, CVE-2023-20897)
- Fix broken tests to make them running in the testsuite
- Prevent possible exceptions on salt.utils.user.get_group_dict (bsc#1212794)
- Added:
* do-not-fail-on-bad-message-pack-message-bsc-1213441-.patch
* fix-tests-to-make-them-running-with-salt-testsuite.patch
* prevent-possible-exceptions-on-salt.utils.user.get_g.patch
* make-sure-configured-user-is-properly-set-by-salt-bs.patch
-------------------------------------------------------------------
Wed Aug 9 15:13:50 UTC 2023 - Alexander Graul <alexander.graul@suse.com>
- Create minion_id with reproducible mtime
- Fix detection of Salt codename by "salt_version" execution module
- Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844)
@@ -699,17 +378,24 @@ Wed Aug 9 15:13:50 UTC 2023 - Alexander Graul <alexander.graul@suse.com>
- Avoid conflicts with Salt dependencies versions (bsc#1211612)
- Added:
* fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch
* fix-the-regression-of-user.present-state-when-group-.patch
* fixed-gitfs-cachedir_basename-to-avoid-hash-collisio.patch
* write-salt-version-before-building-when-using-with-s.patch
* make-master_tops-compatible-with-salt-3000-and-older.patch
* avoid-conflicts-with-dependencies-versions-bsc-12116.patch
* tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch
* fix-regression-multiple-values-for-keyword-argument-.patch
* zypper-pkgrepo-alreadyconfigured-585.patch
* mark-salt-3006-as-released-586.patch
* revert-usage-of-long-running-req-channel-bsc-1213960.patch
* do-not-fail-on-bad-message-pack-message-bsc-1213441-.patch
* fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch
* prevent-possible-exceptions-on-salt.utils.user.get_g.patch
* tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch
* fix-some-issues-detected-in-salt-support-cli-module-.patch
* define-__virtualname__-for-transactional_update-modu.patch
* fix-tests-to-make-them-running-with-salt-testsuite.patch
* 3006.0-prevent-_pygit2.giterror-error-loading-known_.patch
* define-__virtualname__-for-transactional_update-modu.patch
* make-sure-configured-user-is-properly-set-by-salt-bs.patch
* mark-salt-3006-as-released-586.patch
* fix-regression-multiple-values-for-keyword-argument-.patch
-------------------------------------------------------------------
Fri May 5 08:29:26 UTC 2023 - Alexander Graul <alexander.graul@suse.com>

58
salt.spec
View File

@@ -574,6 +574,31 @@ Patch177: fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
Patch178: fix-functional.states.test_user-for-sles-16-and-micr.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68247
Patch179: improve-sl-micro-6.2-detection-with-grains.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/728
Patch180: modify-readme-for-opensuse-728.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68331
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/729
Patch181: even-more-reliable-pillar-timeout-test.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/730
Patch182: add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68366
Patch183: allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/732
Patch184: use-versioned-python-interpreter-for-salt-ssh.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/735
Patch185: do-not-break-signature-verification-on-latest-m2cryp.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/736
Patch186: fix-salt-for-python-3.11.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/737
Patch187: fix-tls-and-x509-modules-for-older-cryptography-modu.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68377
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68379
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68383
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68467
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68469
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/739
Patch188: backport-3006.17-security-fixes-739.patch
### IMPORTANT: The line below is used as a snippet marker. Do not touch it.
### SALT PATCHES LIST END
@@ -777,6 +802,7 @@ Requires: %{python_module distro}
Requires: %{python_module looseversion}
Requires: %{python_module packaging}
Requires: %{python_module contextvars}
Requires: %{python_module cryptography}
%if 0%{?suse_version}
# required for zypper.py
Requires: %{python_module rpm}
@@ -794,6 +820,7 @@ Requires: python-distro
Requires: python-looseversion
Requires: python-packaging
Requires: python-contextvars
Requires: python-cryptography
%if 0%{?suse_version}
# required for zypper.py
Requires: python-rpm
@@ -834,11 +861,18 @@ Recommends: %{python_module passlib}
Recommends: python-passlib
%endif
%if 0%{?suse_version} >= 1600
Requires: python-tornado
%if 0%{?python3_version_nodots} > 312
Requires: python-legacy-cgi
%endif
%else
%if 0%{?singlespec_compat}
Provides: bundled(%{python_module tornado}) = 4.5.3
%else
Provides: bundled(python-tornado) = 4.5.3
%endif
%endif
Provides: %{name}-call = %{version}-%{release}
@@ -1078,7 +1112,7 @@ BuildRequires: %{python_module setuptools}
Requires: salt = %{version}
%if 0%{?singlespec_compat}
Recommends: %{python_module CherryPy}
Requires: %{python_module CherryPy}
Requires: %{python_module Genshi}
Requires: %{python_module Mako}
%if !0%{?suse_version} > 1600 || 0%{?centos}
@@ -1098,7 +1132,7 @@ Requires: %{python_module testinfra}
Requires: %{python_module yamllint}
Requires: %{python_module pip}
%else
Recommends: python-CherryPy
Requires: python-CherryPy
Requires: python-Genshi
Requires: python-Mako
%if !0%{?suse_version} > 1600 || 0%{?centos}
@@ -1626,6 +1660,26 @@ fi
%else
%posttrans -n python-salt
%endif
%if %{with libalternatives}
# restore symlinks to alts after migration from update-alternatives to alts
# in cases where the old package flavor (based u-a) is removed in favor of
# new python flavor (bsc#1250755).
# i.a. python3-salt (3.6 using u-a) -> python313-salt (3.13 using alts)
if [ -f /usr/bin/alts ]; then
for SALT_SCRIPT in salt-call salt-support spm; do
if [ ! -e "%{_bindir}/${SALT_SCRIPT}" ]; then
ln -sf alts "%{_bindir}/${SALT_SCRIPT}"
fi
done
for SALT_SCRIPT in salt salt-api salt-cloud salt-cp salt-key salt-master salt-minion salt-proxy salt-run salt-ssh salt-syndic zyppnotify; do
if [ ! -e "%{_exec_prefix}/libexec/salt/${SALT_SCRIPT}" ]; then
ln -sf ../../bin/alts "%{_exec_prefix}/libexec/salt/${SALT_SCRIPT}"
fi
done
fi
%endif
# force re-generate a new thin.tgz
rm -f %{_localstatedir}/cache/salt/master/thin/version
rm -f %{_localstatedir}/cache/salt/minion/thin/version

33
use-versioned-python-interpreter-for-salt-ssh.patch Normal file
View File

@@ -0,0 +1,33 @@
From 1df479ec297e340bbe5f4913afce02f6c8427bd4 Mon Sep 17 00:00:00 2001
From: Victor Zhestkov <vzhestkov@suse.com>
Date: Mon, 6 Oct 2025 16:41:46 +0200
Subject: [PATCH] Use versioned python interpreter for salt-ssh
---
salt/client/ssh/__init__.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
index bfb7d3d1d1..86e4bcceb0 100644
--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
if [ -n "$DEBUG" ]
then set -x
fi
-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python {{PY3XX_CMD}}python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
for py_cmd in $PYTHON_CMDS
do
if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
@@ -1533,6 +1533,7 @@ ARGS = {arguments}\n'''.format(
SSH_PY_CODE=py_code_enc,
HOST_PY_MAJOR=sys.version_info[0],
SET_PATH=self.set_path,
+ PY3XX_CMD=f"python3.{sys.version_info.minor} " if sys.version_info >= (3, 11) else "",
)
else:
cmd = saltwinshell.gen_shim(py_code_enc)
--
2.51.0