Add fixes for several security vulnerabilities

- Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348)
fix requires
2025-11-26 11:53:43 +01:00 · 2025-11-13 15:04:55 +01:00 · 2025-11-12 13:26:20 +01:00 · 2025-11-12 09:18:44 +01:00
16 changed files with 10057 additions and 5 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-027db6671bef8be8800aed184d79a28f0318f9be
+e4002cf44a559c382f3ff4ff821562b8f281dad5
--- a/2
+++ b/2
@@ -3,7 +3,7 @@
    <param name="url">https://github.com/openSUSE/salt-packaging.git</param>
    <param name="subdir">salt</param>
    <param name="filename">package</param>
-    <param name="revision">MU/5.0.5</param>
+    <param name="revision">MU/5.0.6</param>
    <param name="scm">git</param>
  </service>
  <service name="extract_file" mode="disabled">
--- a/add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
+++ b/add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
@@ -0,0 +1,26 @@
+From ea87110248948eb61628cda607ae1af34e83fdfe Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Wed, 1 Oct 2025 14:19:27 +0200
+Subject: [PATCH] Add python3.11 as preferable for salt-ssh to avoid
+ tests fails
+
+---
+ salt/client/ssh/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
+index 1d8426b7c2..bfb7d3d1d1 100644
+--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
+@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
+ if [ -n "$DEBUG" ]
+     then set -x
+ fi
+-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+ for py_cmd in $PYTHON_CMDS
+ do
+     if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
+-- 
+2.51.0
+
--- a/allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
+++ b/allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
@@ -0,0 +1,76 @@
+From 6a57e821f3e16981c01078dc7e928672a6f77b88 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Mon, 6 Oct 2025 09:34:17 +0100
+Subject: [PATCH] Allow libgit2 to guess sysdir homedir successfully
+ (bsc#1250520) (bsc#1227207) (#731)
+
+* Allow libgit2 to guess sysdir homedir successfully
+
+This prevents the generic error:
+
+_pygit2.GitError: error loading known_hosts:
+
+which is happening in certain pygit2/libgit2 versions
+
+* Fix pygit2 unit test to check HOME is injected
+---
+ salt/utils/gitfs.py                    | 19 ++++++++++++-------
+ tests/pytests/unit/utils/test_gitfs.py |  4 +++-
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/salt/utils/gitfs.py b/salt/utils/gitfs.py
+index 2a8ecf1d0cb..d597c17b870 100644
+--- a/salt/utils/gitfs.py
+++ b/salt/utils/gitfs.py
+@@ -110,6 +110,15 @@ try:
+ 
+     with warnings.catch_warnings():
+         warnings.simplefilter("ignore")
+        if "HOME" not in os.environ:
+            # Make sure $HOME env variable is set before importing pygit2 to prevent
+            # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
+            # The internal "git_sysdir__dirs" from libgit2, is initializated
+            # when importing pygit2. The $HOME env must be present to allow libgit2
+            # guessing function to successfully set the homedir in the initializated
+            # libgit2 stack.
+            # https://github.com/saltstack/salt/issues/64121
+            os.environ["HOME"] = os.path.expanduser("~")
+         import pygit2
+     PYGIT2_VERSION = Version(pygit2.__version__)
+     LIBGIT2_VERSION = Version(pygit2.LIBGIT2_VERSION)
+@@ -1890,13 +1899,9 @@ class Pygit2(GitProvider):
+         """
+         # https://github.com/libgit2/pygit2/issues/339
+         # https://github.com/libgit2/libgit2/issues/2122
+-        # https://github.com/saltstack/salt/issues/64121
+-        home = os.path.expanduser("~")
+-        if "HOME" not in os.environ:
+-            # Make sure $HOME env variable is set to prevent
+-            # _pygit2.GitError: error loading known_hosts in some libgit2 versions.
+-            os.environ["HOME"] = home
+-        pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = home
+        pygit2.settings.search_path[pygit2.GIT_CONFIG_LEVEL_GLOBAL] = (
+            os.path.expanduser("~")
+        )
+         new = False
+         if not os.listdir(self._cachedir):
+             # Repo cachedir is empty, initialize a new repo there
+diff --git a/tests/pytests/unit/utils/test_gitfs.py b/tests/pytests/unit/utils/test_gitfs.py
+index baedd9fd708..4ab8e7735f0 100644
+--- a/tests/pytests/unit/utils/test_gitfs.py
+++ b/tests/pytests/unit/utils/test_gitfs.py
+@@ -251,7 +251,9 @@ def test_checkout_pygit2_with_home_env_unset(_prepare_provider):
+     provider.credentials = None
+     with patched_environ(__cleanup__=["HOME"]):
+         assert "HOME" not in os.environ
+-        provider.init_remote()
+        import importlib
+
+        importlib.reload(salt.utils.gitfs)
+         assert "HOME" in os.environ
+ 
+ 
+-- 
+2.51.0
+
--- a/backport-3006.17-security-fixes-739.patch
+++ b/backport-3006.17-security-fixes-739.patch
--- a/do-not-break-signature-verification-on-latest-m2cryp.patch
+++ b/do-not-break-signature-verification-on-latest-m2cryp.patch
@@ -0,0 +1,36 @@
+From 002a58144563a15034f982b19ba851326535570a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Wed, 29 Oct 2025 10:30:58 +0000
+Subject: [PATCH] Do not break signature verification on latest
+ M2Crypto versions (bsc#1251776)
+
+---
+ salt/crypt.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/salt/crypt.py b/salt/crypt.py
+index 981f633d51f..29fd159b48c 100644
+--- a/salt/crypt.py
+++ b/salt/crypt.py
+@@ -243,7 +243,7 @@ def sign_message(privkey_path, message, passphrase=None):
+         md = EVP.MessageDigest("sha1")
+         md.update(salt.utils.stringutils.to_bytes(message))
+         digest = md.final()
+-        return key.sign(digest)
+        return key.sign(digest, algo="sha1")
+     else:
+         signer = PKCS1_v1_5.new(key)
+         return signer.sign(SHA.new(salt.utils.stringutils.to_bytes(message)))
+@@ -262,7 +262,7 @@ def verify_signature(pubkey_path, message, signature):
+         md.update(salt.utils.stringutils.to_bytes(message))
+         digest = md.final()
+         try:
+-            return pubkey.verify(digest, signature)
+            return pubkey.verify(digest, signature, algo="sha1")
+         except RSA.RSAError as exc:
+             log.debug("Signature verification failed: %s", exc.args[0])
+             return False
+-- 
+2.51.1
+
--- a/even-more-reliable-pillar-timeout-test.patch
+++ b/even-more-reliable-pillar-timeout-test.patch
@@ -0,0 +1,65 @@
+From dc3027bab4925228cacde00ae626bf651d0a0c3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
+ <psuarezhernandez@suse.com>
+Date: Wed, 17 Sep 2025 09:56:44 +0200
+Subject: [PATCH] Even more reliable pillar timeout test
+
+* Even more reliable pillar timeout test
+
+* Use sys.executable on test_pillar_timeout test
+
+---------
+
+Co-authored-by: Daniel A. Wozniak <dwozniak@vmware.com>
+---
+ .../integration/minion/test_return_retries.py  | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/tests/pytests/integration/minion/test_return_retries.py b/tests/pytests/integration/minion/test_return_retries.py
+index 45dea9c4c76..9b71bed58c5 100644
+--- a/tests/pytests/integration/minion/test_return_retries.py
+++ b/tests/pytests/integration/minion/test_return_retries.py
+@@ -5,6 +5,7 @@ import pytest
+ from saltfactories.utils import random_string
+ 
+ from tests.support.helpers import dedent
+import salt.utils.files
+ 
+ 
+ @pytest.fixture(scope="function")
+@@ -57,14 +58,13 @@ def test_publish_retry(salt_master, salt_minion_retry, salt_cli, salt_run_cli):
+ 
+ @pytest.mark.slow_test
+ @pytest.mark.flaky(max_runs=4)
+-def test_pillar_timeout(salt_master_factory):
+-    cmd = (
+-        sys.executable
+-        + ' -c "import time; time.sleep(4.8); print(\'{\\"foo\\": \\"bar\\"}\');"'
+-    ).strip()
+def test_pillar_timeout(salt_master_factory, tmp_path):
+    with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
+        fp.write('print(\'{"foo": "bar"}\');\n')
+
+     master_overrides = {
+         "ext_pillar": [
+-            {"cmd_json": cmd},
+            {"cmd_json": f"{sys.executable} {tmp_path / 'script.py'}"},
+         ],
+         "auto_accept": True,
+         "worker_threads": 3,
+@@ -110,7 +110,11 @@ def test_pillar_timeout(salt_master_factory):
+     sls_tempfile = master.state_tree.base.temp_file(
+         "{}.sls".format(sls_name), sls_contents
+     )
+-    with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), sls_tempfile:
+    with master.started(), minion1.started(), minion2.started(), minion3.started(), minion4.started(), (
+        sls_tempfile
+    ):
+        with salt.utils.files.fopen(tmp_path / "script.py", "w") as fp:
+            fp.write('import time; time.sleep(6); print(\'{"foo": "bang"}\');\n')
+         proc = cli.run("state.sls", sls_name, minion_tgt="*")
+         # At least one minion should have a Pillar timeout
+         print(proc)
+-- 
+2.51.0
+
--- a/fix-functional.states.test_user-for-sles-16-and-micr.patch
+++ b/fix-functional.states.test_user-for-sles-16-and-micr.patch
@@ -0,0 +1,106 @@
+From 6bab2b1bea75e240ebcb86b839a238496a235307 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Mon, 11 Aug 2025 14:17:03 +0200
+Subject: [PATCH] Fix functional.states.test_user for SLES 16 and Micro
+ systems
+
+---
+ tests/pytests/functional/states/test_user.py | 42 +++++++++++++-------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/tests/pytests/functional/states/test_user.py b/tests/pytests/functional/states/test_user.py
+index 5eac093ef4..231841ee78 100644
+--- a/tests/pytests/functional/states/test_user.py
+++ b/tests/pytests/functional/states/test_user.py
+@@ -138,7 +138,9 @@ def test_user_present_nondefault(grains, modules, states, username, user_home):
+     if not salt.utils.platform.is_darwin() and not salt.utils.platform.is_windows():
+         assert user_home.is_dir()
+ 
+-    if grains["os_family"] in ("Suse",) and not grains.get("transactional", False):
+    if grains["os_family"] == "Suse" and not (
+        grains.get("transactional", False) or grains.get("osmajorrelease", 0) >= 16
+    ):
+         expected_group_name = "users"
+     elif grains["os_family"] == "MacOS":
+         expected_group_name = "staff"
+@@ -381,11 +383,15 @@ def test_user_present_existing(states, username):
+ 
+ 
+ @pytest.mark.skip_unless_on_linux(reason="underlying functionality only runs on Linux")
+-@pytest.mark.skipif(
+-    bool(salt.utils.path.which("transactional-update")),
+-    reason="Skipping on transactional systems",
+-)
+-def test_user_present_change_groups(modules, states, username, group_1, group_2):
+def test_user_present_change_groups(
+    grains, modules, states, username, group_1, group_2
+):
+    expected_groups = [group_2.name, group_1.name]
+    if grains["os_family"] == "Suse" and (
+        grains.get("transactional", False) or grains.get("osmajorrelease", 0) >= 16
+    ):
+        expected_groups.append(username)
+
+     ret = states.user.present(
+         name=username,
+         groups=[group_1.name, group_2.name],
+@@ -394,7 +400,9 @@ def test_user_present_change_groups(modules, states, username, group_1, group_2)
+ 
+     user_info = modules.user.info(username)
+     assert user_info
+-    assert user_info["groups"] == [group_2.name, group_1.name]
+    assert sorted(user_info["groups"]) == sorted(expected_groups)
+
+    expected_groups.remove(group_2.name)
+ 
+     # run again and remove group_2
+     ret = states.user.present(
+@@ -405,17 +413,19 @@ def test_user_present_change_groups(modules, states, username, group_1, group_2)
+ 
+     user_info = modules.user.info(username)
+     assert user_info
+-    assert user_info["groups"] == [group_1.name]
+    assert sorted(user_info["groups"]) == sorted(expected_groups)
+ 
+ 
+ @pytest.mark.skip_unless_on_linux(reason="underlying functionality only runs on Linux")
+-@pytest.mark.skipif(
+-    bool(salt.utils.path.which("transactional-update")),
+-    reason="Skipping on transactional systems",
+-)
+ def test_user_present_change_optional_groups(
+-    modules, states, username, group_1, group_2
+    grains, modules, states, username, group_1, group_2
+ ):
+    expected_groups = [group_2.name, group_1.name]
+    if grains["os_family"] == "Suse" and (
+        grains.get("transactional", False) or grains.get("osmajorrelease", 0) >= 16
+    ):
+        expected_groups.append(username)
+
+     ret = states.user.present(
+         name=username,
+         optional_groups=[group_1.name, group_2.name],
+@@ -424,7 +434,9 @@ def test_user_present_change_optional_groups(
+ 
+     user_info = modules.user.info(username)
+     assert user_info
+-    assert user_info["groups"] == [group_2.name, group_1.name]
+    assert sorted(user_info["groups"]) == sorted(expected_groups)
+
+    expected_groups.remove(group_2.name)
+ 
+     # run again and remove group_2
+     ret = states.user.present(
+@@ -435,7 +447,7 @@ def test_user_present_change_optional_groups(
+ 
+     user_info = modules.user.info(username)
+     assert user_info
+-    assert user_info["groups"] == [group_1.name]
+    assert sorted(user_info["groups"]) == sorted(expected_groups)
+ 
+ 
+ @pytest.mark.skip_unless_on_linux(reason="underlying functionality only runs on Linux")
+-- 
+2.50.1
+
--- a/fix-salt-for-python-3.11.patch
+++ b/fix-salt-for-python-3.11.patch
--- a/fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
+++ b/fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
@@ -0,0 +1,70 @@
+From 4cdce6826c5dcc4b26ce9b877858aa0425d33842 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Mon, 11 Aug 2025 14:16:15 +0200
+Subject: [PATCH] Fix the tests failing on AlmaLinux 10 and other
+ clones
+
+* Fix the package manager related tests failing with AlmaLinux 10
+
+* Fix network test failing on NetworkManager only systems
+
+* Align test conditions with upstream
+---
+ tests/integration/states/test_network.py               | 7 +++++++
+ tests/pytests/functional/states/pkgrepo/test_centos.py | 6 +++++-
+ tests/pytests/functional/states/test_pkg.py            | 4 ++--
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tests/integration/states/test_network.py b/tests/integration/states/test_network.py
+index 623cde77b9..efc5768e48 100644
+--- a/tests/integration/states/test_network.py
+++ b/tests/integration/states/test_network.py
+@@ -25,6 +25,13 @@ class NetworkTest(ModuleCase, SaltReturnAssertsMixin):
+                 "Network state only supported on RedHat and Debian based systems."
+                 "The network state does not currently work on VMware Photon OS."
+             )
+        if (
+            os_family == "RedHat"
+            and self.run_function("grains.get", ["osmajorrelease"]) >= 10
+        ):
+            self.skipTest(
+                "Network state doesn't fully support NetworkManager only systems."
+            )
+ 
+     @pytest.mark.slow_test
+     def test_managed(self):
+diff --git a/tests/pytests/functional/states/pkgrepo/test_centos.py b/tests/pytests/functional/states/pkgrepo/test_centos.py
+index 6a84f96ac9..5f6e82d59f 100644
+--- a/tests/pytests/functional/states/pkgrepo/test_centos.py
+++ b/tests/pytests/functional/states/pkgrepo/test_centos.py
+@@ -242,7 +242,11 @@ def copr_pkgrepo_with_comments_name(pkgrepo, grains):
+         or grains["os"] == "VMware Photon OS"
+     ):
+         pytest.skip("copr plugin not installed on {} CI".format(grains["osfinger"]))
+-    if grains["os"] in ("CentOS Stream", "AlmaLinux") and grains["osmajorrelease"] == 9:
+    if (
+        grains["os"] in ("CentOS Stream", "AlmaLinux", "Rocky")
+        and grains["osmajorrelease"] >= 9
+        or grains["osfinger"] == "Amazon Linux-2023"
+    ):
+         pytest.skip("No repo for {} in test COPR yet".format(grains["osfinger"]))
+     pkgrepo_name = "hello-copr"
+     try:
+diff --git a/tests/pytests/functional/states/test_pkg.py b/tests/pytests/functional/states/test_pkg.py
+index 9e5a8350ad..559a91e060 100644
+--- a/tests/pytests/functional/states/test_pkg.py
+++ b/tests/pytests/functional/states/test_pkg.py
+@@ -52,8 +52,8 @@ def PKG_TARGETS(grains):
+         if grains["os"] == "VMware Photon OS":
+             _PKG_TARGETS = ["wget", "zsh-html"]
+         elif (
+-            grains["os"] in ("CentOS Stream", "AlmaLinux")
+-            and grains["osmajorrelease"] == 9
+            grains["os"] in ("CentOS Stream", "Rocky", "AlmaLinux")
+            and grains["osmajorrelease"] >= 9
+         ):
+             _PKG_TARGETS = ["units", "zsh"]
+         else:
+-- 
+2.50.1
+
--- a/fix-tls-and-x509-modules-for-older-cryptography-modu.patch
+++ b/fix-tls-and-x509-modules-for-older-cryptography-modu.patch
@@ -0,0 +1,290 @@
+From 7f15657c26c4e5e9fabc72f4da2d9a91353d5d3a Mon Sep 17 00:00:00 2001
+From: Marek Czernek <marek.czernek@suse.com>
+Date: Tue, 11 Nov 2025 08:46:20 +0100
+Subject: [PATCH] Fix tls and x509 modules for older cryptography
+ module (#737)
+
+---
+ salt/modules/tls.py  |  73 +++++++++++++++++-------
+ salt/modules/x509.py | 128 +++++++++++++++++++++++++++++++++++--------
+ 2 files changed, 158 insertions(+), 43 deletions(-)
+
+diff --git a/salt/modules/tls.py b/salt/modules/tls.py
+index 9d29bd1e9b..4d7db87f93 100644
+--- a/salt/modules/tls.py
+++ b/salt/modules/tls.py
+@@ -104,6 +104,7 @@ import logging
+ import math
+ import os
+ import re
+import sys
+ import time
+ from datetime import datetime
+ 
+@@ -1594,6 +1595,9 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+         salt '*' tls.create_pkcs12 test localhost
+     """
+    # Necessary for OSes with older cryptography module
+    compat_mode = sys.version_info < (3,12)
+
+     set_ca_path(cacert_path)
+     p12_path = f"{cert_base_path()}/{ca_name}/certs/{CN}.p12"
+     ca_cert_path = f"{cert_base_path()}/{ca_name}/{ca_name}_ca_cert.crt"
+@@ -1605,7 +1609,12 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+     try:
+         with salt.utils.files.fopen(ca_cert_path, "rb") as fhr:
+-            ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+            if compat_mode:
+                ca_cert = OpenSSL.crypto.load_certificate(
+                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+                )
+            else:
+                ca_cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+     except OSError:
+         return 'There is no CA named "{}"'.format(ca_name)
+     except ValueError as e:
+@@ -1613,34 +1622,58 @@ def create_pkcs12(ca_name, CN, passphrase="", cacert_path=None, replace=False):
+ 
+     try:
+         with salt.utils.files.fopen(cert_path, "rb") as fhr:
+-            cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+            if compat_mode:
+                cert = OpenSSL.crypto.load_certificate(
+                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+                )
+            else:
+                cert = cryptography.x509.load_pem_x509_certificate(fhr.read())
+         with salt.utils.files.fopen(priv_key_path, "rb") as fhr:
+-            key = cryptography_serialization.load_pem_private_key(
+-                fhr.read(),
+-                password=None,
+-            )
+            if compat_mode:
+                key = OpenSSL.crypto.load_privatekey(
+                    OpenSSL.crypto.FILETYPE_PEM, fhr.read()
+                )
+            else:
+                key = cryptography_serialization.load_pem_private_key(
+                    fhr.read(),
+                    password=None,
+                )
+     except OSError:
+         return 'There is no certificate that matches the CN "{}"'.format(CN)
+     except ValueError as e:
+         return f'Could not load certificate {cert_path}: {e}'
+ 
+-    if passphrase:
+-        encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
+-            salt.utils.stringutils.to_bytes(passphrase)
+-        )
+    if compat_mode:
+        pkcs12 = OpenSSL.crypto.PKCS12()
+
+        pkcs12.set_certificate(cert)
+        pkcs12.set_ca_certificates([ca_cert])
+        pkcs12.set_privatekey(key)
+
+        with salt.utils.files.fopen(
+            "{}/{}/certs/{}.p12".format(cert_base_path(), ca_name, CN), "wb"
+        ) as ofile:
+            ofile.write(
+                pkcs12.export(passphrase=salt.utils.stringutils.to_bytes(passphrase))
+            )
+     else:
+-        encryption_algorithm = cryptography_serialization.NoEncryption()
+        if passphrase:
+            encryption_algorithm = cryptography_serialization.BestAvailableEncryption(
+                salt.utils.stringutils.to_bytes(passphrase)
+            )
+        else:
+            encryption_algorithm = cryptography_serialization.NoEncryption()
+ 
+-    pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
+-        name=salt.utils.stringutils.to_bytes(CN),
+-        key=key,
+-        cert=cert,
+-        cas=[ca_cert],
+-        encryption_algorithm=encryption_algorithm,
+-    )
+        pkcs12 = cryptography_pkcs12.serialize_key_and_certificates(
+            name=salt.utils.stringutils.to_bytes(CN),
+            key=key,
+            cert=cert,
+            cas=[ca_cert],
+            encryption_algorithm=encryption_algorithm,
+        )
+ 
+-    with salt.utils.files.fopen(p12_path, "wb") as ofile:
+-        ofile.write(pkcs12)
+        with salt.utils.files.fopen(p12_path, "wb") as ofile:
+            ofile.write(pkcs12)
+ 
+     return 'Created PKCS#12 Certificate for "{0}": "{1}/{2}/certs/{0}.p12"'.format(
+         CN,
+diff --git a/salt/modules/x509.py b/salt/modules/x509.py
+index 164541fc76..373e394856 100644
+--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
+@@ -32,16 +32,20 @@ import tempfile
+ 
+ import salt.exceptions
+ import salt.utils.data
+-import salt.utils.dictupdate
+ import salt.utils.files
+ import salt.utils.path
+ import salt.utils.platform
+ import salt.utils.stringutils
+ import salt.utils.versions
+-import salt.utils.x509 as x509util
+ from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
+ from salt.utils.odict import OrderedDict
+ 
+# Necessary for OSes with older cryptography module
+COMPAT_MODE = sys.version_info < (3,12)
+if not COMPAT_MODE:
+    import salt.utils.dictupdate
+    import salt.utils.x509 as x509util
+
+ try:
+     import M2Crypto
+ 
+@@ -988,35 +992,113 @@ def create_crl(
+ 
+     if revoked is None:
+         revoked = []
+    if COMPAT_MODE:
+        crl = OpenSSL.crypto.CRL()
+        for rev_item in revoked:
+            if "certificate" in rev_item:
+                rev_cert = read_certificate(rev_item["certificate"])
+                rev_item["serial_number"] = rev_cert["Serial Number"]
+                rev_item["not_after"] = rev_cert["Not After"]
+ 
+-    for rev_item in revoked:
+-        if "reason" in rev_item:
+-            salt.utils.dictupdate.set_dict_key_value(
+-                rev_item, "extensions:CRLReason", rev_item["reason"]
+            serial_number = rev_item["serial_number"].replace(":", "")
+            # OpenSSL bindings requires this to be a non-unicode string
+            serial_number = salt.utils.stringutils.to_bytes(serial_number)
+
+            if "not_after" in rev_item and not include_expired:
+                not_after = datetime.datetime.strptime(
+                    rev_item["not_after"], "%Y-%m-%d %H:%M:%S"
+                )
+                if datetime.datetime.now() > not_after:
+                    continue
+
+            if "revocation_date" not in rev_item:
+                rev_item["revocation_date"] = datetime.datetime.now().strftime(
+                    "%Y-%m-%d %H:%M:%S"
+                )
+
+            rev_date = datetime.datetime.strptime(
+                rev_item["revocation_date"], "%Y-%m-%d %H:%M:%S"
+             )
+            rev_date = rev_date.strftime("%Y%m%d%H%M%SZ")
+            rev_date = salt.utils.stringutils.to_bytes(rev_date)
+ 
+-    builder, private_key_obj = x509util.build_crl(
+-        signing_private_key=signing_private_key,
+-        signing_private_key_passphrase=signing_private_key_passphrase,
+-        include_expired=include_expired,
+-        revoked=revoked,
+-        signing_cert=signing_cert,
+-        days_valid=days_valid,
+-    )
+            rev = OpenSSL.crypto.Revoked()
+            rev.set_serial(salt.utils.stringutils.to_bytes(serial_number))
+            rev.set_rev_date(salt.utils.stringutils.to_bytes(rev_date))
+
+            if "reason" in rev_item:
+                # Same here for OpenSSL bindings and non-unicode strings
+                reason = salt.utils.stringutils.to_bytes(rev_item["reason"])
+                rev.set_reason(reason)
+
+            crl.add_revoked(rev)
+
+        signing_cert = _text_or_file(signing_cert)
+        cert = OpenSSL.crypto.load_certificate(
+            OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_cert, pem_type="CERTIFICATE")
+        )
+        signing_private_key = _get_private_key_obj(
+            signing_private_key, passphrase=signing_private_key_passphrase
+        ).as_pem(cipher=None)
+        key = OpenSSL.crypto.load_privatekey(
+            OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_private_key)
+        )
+
+        export_kwargs = {
+            "cert": cert,
+            "key": key,
+            "type": OpenSSL.crypto.FILETYPE_PEM,
+            "days": days_valid,
+        }
+        if digest:
+            export_kwargs["digest"] = salt.utils.stringutils.to_bytes(digest)
+        else:
+            log.warning("No digest specified. The default md5 digest will be used.")
+
+        try:
+            crltext = crl.export(**export_kwargs)
+        except (TypeError, ValueError):
+            log.warning(
+                "Error signing crl with specified digest. Are you using "
+                "pyopenssl 0.15 or newer? The default md5 digest will be used."
+            )
+            export_kwargs.pop("digest", None)
+            crltext = crl.export(**export_kwargs)
+
+        if text:
+            return crltext
+
+        return write_pem(text=crltext, path=path, pem_type="X509 CRL")
+ 
+-    if digest:
+-        hashing_algorithm = x509util.get_hashing_algorithm(digest)
+     else:
+-        log.warning("No digest specified. The default md5 digest will be used.")
+-        hashing_algorithm = x509util.get_hashing_algorithm("MD5")
+        for rev_item in revoked:
+            if "reason" in rev_item:
+                salt.utils.dictupdate.set_dict_key_value(
+                    rev_item, "extensions:CRLReason", rev_item["reason"]
+                )
+ 
+-    crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
+-    crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
+        builder, private_key_obj = x509util.build_crl(
+            signing_private_key=signing_private_key,
+            signing_private_key_passphrase=signing_private_key_passphrase,
+            include_expired=include_expired,
+            revoked=revoked,
+            signing_cert=signing_cert,
+            days_valid=days_valid,
+        )
+ 
+-    if text:
+-        return crl_bytes.decode()
+        if digest:
+            hashing_algorithm = x509util.get_hashing_algorithm(digest)
+        else:
+            log.warning("No digest specified. The default md5 digest will be used.")
+            hashing_algorithm = x509util.get_hashing_algorithm("MD5")
+ 
+-    return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
+        crl = builder.sign(private_key_obj, algorithm=hashing_algorithm)
+        crl_bytes = crl.public_bytes(x509util.serialization.Encoding.PEM)
+
+        if text:
+            return crl_bytes.decode()
+
+        return write_pem(text=crl_bytes, path=path, pem_type="X509 CRL")
+ 
+ 
+ def sign_remote_certificate(argdic, **kwargs):
+-- 
+2.51.1
+
--- a/improve-sl-micro-6.2-detection-with-grains.patch
+++ b/improve-sl-micro-6.2-detection-with-grains.patch
@@ -0,0 +1,78 @@
+From 270fda818beca6cb1a8b0f79f6df33e2cb7dc2d2 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Mon, 11 Aug 2025 14:17:57 +0200
+Subject: [PATCH] Improve SL Micro 6.2 detection with grains
+
+* Add workaround for detecting SL Micro 6.2
+
+* Add SL Micro 6.2 core grains detection test
+---
+ salt/grains/core.py                    | 12 +++++++++++
+ tests/pytests/unit/grains/test_core.py | 28 ++++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/salt/grains/core.py b/salt/grains/core.py
+index 619969df9a..582b37de94 100644
+--- a/salt/grains/core.py
+++ b/salt/grains/core.py
+@@ -2376,6 +2376,18 @@ def _legacy_linux_distribution_data(grains, os_release, lsb_has_error):
+         grains["oscodename"] = oscodename
+     if "os" not in grains:
+         grains["os"] = _derive_os_grain(grains["osfullname"])
+    if "SUSE_SUPPORT_PRODUCT" in os_release and "SUSE_SUPPORT_PRODUCT_VERSION":
+        # It's a workaround for very specific case of SL Micro 6.2
+        # SL Micro 6.2 is different than prevoius ones and identifies itself
+        # as SLES-16, but transactional. This workaround was made to make the grains
+        # of SL Micro 6.2 aligned with the previous versions.
+        grains["oscodename"] = os_release.get(
+            "SUSE_PRETTY_NAME",
+            f"{os_release['SUSE_SUPPORT_PRODUCT']} {os_release['SUSE_SUPPORT_PRODUCT_VERSION']}",
+        )
+        grains["osrelease"] = os_release["SUSE_SUPPORT_PRODUCT_VERSION"]
+        if os_release["SUSE_SUPPORT_PRODUCT"] == "SUSE Linux Micro":
+            grains["osfullname"] = "SL-Micro"
+     # this assigns family names based on the os name
+     # family defaults to the os name if not found
+     grains["os_family"] = _OS_FAMILY_MAP.get(grains["os"], grains["os"])
+diff --git a/tests/pytests/unit/grains/test_core.py b/tests/pytests/unit/grains/test_core.py
+index c15a3b4360..135c40bc2b 100644
+--- a/tests/pytests/unit/grains/test_core.py
+++ b/tests/pytests/unit/grains/test_core.py
+@@ -841,6 +841,34 @@ def test_suse_os_grains_tumbleweed():
+     _run_suse_os_grains_tests(_os_release_data, {}, expectation)
+ 
+ 
+@pytest.mark.skip_unless_on_linux
+def test_suse_os_grains_slmicro62():
+    """
+    Test if OS grains are parsed correctly in SL Micro 6.2
+    """
+    _os_release_data = {
+        "NAME": "SLES",
+        "VERSION": "16.0",
+        "VERSION_ID": "16.0",
+        "PRETTY_NAME": "SUSE Linux Enterprise Server 16.0",
+        "ID": "sles",
+        "ANSI_COLOR": "0;32",
+        "CPE_NAME": "cpe:/o:suse:sles:16:16.0",
+        "SUSE_SUPPORT_PRODUCT": "SUSE Linux Micro",
+        "SUSE_SUPPORT_PRODUCT_VERSION": "6.2",
+        "SUSE_PRETTY_NAME": "SUSE Linux Micro 6.2",
+    }
+    expectation = {
+        "oscodename": "SUSE Linux Micro 6.2",
+        "osfullname": "SL-Micro",
+        "osrelease": "6.2",
+        "osrelease_info": (6, 2),
+        "osmajorrelease": 6,
+        "osfinger": "SL-Micro-6",
+    }
+    _run_suse_os_grains_tests(_os_release_data, {}, expectation)
+
+
+ @pytest.mark.skip_unless_on_linux
+ def test_debian_9_os_grains():
+     """
+-- 
+2.50.1
+
--- a/modify-readme-for-opensuse-728.patch
+++ b/modify-readme-for-opensuse-728.patch
--- a/salt.changes
+++ b/salt.changes
@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Wed Nov 26 10:48:08 UTC 2025 - Alexander Graul <alexander.graul@suse.com>
+
+- Add minimum_auth_version to enforce security (CVE-2025-62349)
+- Backport security fixes for vendored tornado
+  * BDSA-2024-3438
+  * BDSA-2024-3439
+  * BDSA-2024-9026
+- Junos module yaml loader fix (CVE-2025-62348)
+
+- Added:
+  * backport-3006.17-security-fixes-739.patch
+
+-------------------------------------------------------------------
+Thu Nov 13 14:04:05 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
+
+- Require Python dependencies only for used Python version
+
+-------------------------------------------------------------------
+Tue Nov 11 16:14:31 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
+
+- Fix TLS and x509 modules for OSes with older cryptography module
+- Require python-legacy-cgi only for Python > 3.12
+- Builds with py >=3.13 require python-legacy-cgi
+- Fix Salt for Python > 3.11 (bsc#1252285) (bsc#1252244)
+  * Use external tornado on Python > 3.11
+  * Make tls and x509 to use python-cryptography
+  * Remove usage of spwd
+
+- Added:
+  * fix-tls-and-x509-modules-for-older-cryptography-modu.patch
+  * fix-salt-for-python-3.11.patch
+
+-------------------------------------------------------------------
+Wed Nov  5 14:54:20 UTC 2025 - Marek Czernek <marek.czernek@suse.com>
+
+- Fix payload signature verification on Tumbleweed (bsc#1251776)
+- Fix broken symlink on migration to Leap 16.0 (bsc#1250755)
+- Use versioned python interpreter for salt-ssh
+- Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207)
+- Add python3.11 as preferable for salt-ssh to avoid tests fails
+- Make test_pillar_timeout test more reliable
+- Modify README and other doc files for openSUSE
+- Set python-CherryPy as required for python-salt-testsuite (#115)
+- Revert require M2Crypto >= 0.44.0 for SUSE Family distros
+- This reverts commit aa40615dcf7a15325ef71bbc09a5423ce512491d.
+- Improve SL Micro 6.2 detection with grains
+- Fix functional.states.test_user for SLES 16 and Micro systems
+- Fix the tests failing on AlmaLinux 10 and other clones
+
+- Added:
+  * do-not-break-signature-verification-on-latest-m2cryp.patch
+  * use-versioned-python-interpreter-for-salt-ssh.patch
+  * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
+  * add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
+  * even-more-reliable-pillar-timeout-test.patch
+  * modify-readme-for-opensuse-728.patch
+  * improve-sl-micro-6.2-detection-with-grains.patch
+  * fix-functional.states.test_user-for-sles-16-and-micr.patch
+  * fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
+
 -------------------------------------------------------------------
 Fri Jul  4 10:58:04 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>

--- a/salt.spec
+++ b/salt.spec
@@ -568,6 +568,37 @@ Patch174:       several-fixes-for-security-issues.patch
 Patch175:       fix-tests-issues-in-salt-shaker-environments-721.patch
 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/722
 Patch176:       add-minion_legacy_req_warnings-option-to-avoid-noisy.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68246
+Patch177:       fix-the-tests-failing-on-almalinux-10-and-other-clon.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/66630
+Patch178:       fix-functional.states.test_user-for-sles-16-and-micr.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68247
+Patch179:       improve-sl-micro-6.2-detection-with-grains.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/728
+Patch180:       modify-readme-for-opensuse-728.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68331
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/729
+Patch181:       even-more-reliable-pillar-timeout-test.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/730
+Patch182:       add-python3.11-as-preferable-for-salt-ssh-to-avoid-t.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/68366
+Patch183:       allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/732
+Patch184:       use-versioned-python-interpreter-for-salt-ssh.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/735
+Patch185:       do-not-break-signature-verification-on-latest-m2cryp.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/736
+Patch186:       fix-salt-for-python-3.11.patch
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/737
+Patch187:       fix-tls-and-x509-modules-for-older-cryptography-modu.patch
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68377
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68379
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68383
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68467
+# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/issues/68469
+# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/739
+Patch188:       backport-3006.17-security-fixes-739.patch
+

 ### IMPORTANT: The line below is used as a snippet marker. Do not touch it.
 ### SALT PATCHES LIST END
@@ -681,7 +712,7 @@ BuildRequires:  %{python_module MarkupSafe}
 BuildRequires:  %{python_module msgpack-python > 0.3}
 BuildRequires:  %{python_module pyzmq > 2.2.0}
 %if 0%{?suse_version} >= 1500
-BuildRequires:  %{python_module M2Crypto >= 0.44.0}
+BuildRequires:  %{python_module M2Crypto}
 %else
 BuildRequires:  %{python_module pycrypto >= 2.6.1}
 %endif
@@ -771,6 +802,7 @@ Requires:       %{python_module distro}
 Requires:       %{python_module looseversion}
 Requires:       %{python_module packaging}
 Requires:       %{python_module contextvars}
+Requires:       %{python_module cryptography}
 %if 0%{?suse_version}
 # required for zypper.py
 Requires:       %{python_module rpm}
@@ -788,6 +820,7 @@ Requires:       python-distro
 Requires:       python-looseversion
 Requires:       python-packaging
 Requires:       python-contextvars
+Requires:       python-cryptography
 %if 0%{?suse_version}
 # required for zypper.py
 Requires:       python-rpm
@@ -828,11 +861,18 @@ Recommends:     %{python_module passlib}
 Recommends:     python-passlib
 %endif

+%if 0%{?suse_version} >= 1600
+Requires:       python-tornado
+%if 0%{?python3_version_nodots} > 312
+Requires:       python-legacy-cgi
+%endif
+%else
 %if 0%{?singlespec_compat}
 Provides:       bundled(%{python_module tornado}) = 4.5.3
 %else
 Provides:       bundled(python-tornado) = 4.5.3
 %endif
+%endif

 Provides:       %{name}-call = %{version}-%{release}

@@ -1072,7 +1112,7 @@ BuildRequires:  %{python_module setuptools}

 Requires:       salt = %{version}
 %if 0%{?singlespec_compat}
-Recommends:     %{python_module CherryPy}
+Requires:       %{python_module CherryPy}
 Requires:       %{python_module Genshi}
 Requires:       %{python_module Mako}
 %if !0%{?suse_version} > 1600 || 0%{?centos}
@@ -1092,7 +1132,7 @@ Requires:       %{python_module testinfra}
 Requires:       %{python_module yamllint}
 Requires:       %{python_module pip}
 %else
-Recommends:     python-CherryPy
+Requires:       python-CherryPy
 Requires:       python-Genshi
 Requires:       python-Mako
 %if !0%{?suse_version} > 1600 || 0%{?centos}
@@ -1620,6 +1660,26 @@ fi
 %else
 %posttrans -n python-salt
 %endif
+
+%if %{with libalternatives}
+# restore symlinks to alts after migration from update-alternatives to alts
+# in cases where the old package flavor (based u-a) is removed in favor of
+# new python flavor (bsc#1250755).
+# i.a. python3-salt (3.6 using u-a) -> python313-salt (3.13 using alts)
+if [ -f /usr/bin/alts ]; then
+    for SALT_SCRIPT in salt-call salt-support spm; do
+        if [ ! -e "%{_bindir}/${SALT_SCRIPT}" ]; then
+            ln -sf alts "%{_bindir}/${SALT_SCRIPT}"
+        fi
+    done
+    for SALT_SCRIPT in salt salt-api salt-cloud salt-cp salt-key salt-master salt-minion salt-proxy salt-run salt-ssh salt-syndic zyppnotify; do
+        if [ ! -e "%{_exec_prefix}/libexec/salt/${SALT_SCRIPT}" ]; then
+            ln -sf ../../bin/alts "%{_exec_prefix}/libexec/salt/${SALT_SCRIPT}"
+        fi
+    done
+fi
+%endif
+
 # force re-generate a new thin.tgz
 rm -f %{_localstatedir}/cache/salt/master/thin/version
 rm -f %{_localstatedir}/cache/salt/minion/thin/version
--- a/use-versioned-python-interpreter-for-salt-ssh.patch
+++ b/use-versioned-python-interpreter-for-salt-ssh.patch
@@ -0,0 +1,33 @@
+From 1df479ec297e340bbe5f4913afce02f6c8427bd4 Mon Sep 17 00:00:00 2001
+From: Victor Zhestkov <vzhestkov@suse.com>
+Date: Mon, 6 Oct 2025 16:41:46 +0200
+Subject: [PATCH] Use versioned python interpreter for salt-ssh
+
+---
+ salt/client/ssh/__init__.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/salt/client/ssh/__init__.py b/salt/client/ssh/__init__.py
+index bfb7d3d1d1..86e4bcceb0 100644
+--- a/salt/client/ssh/__init__.py
+++ b/salt/client/ssh/__init__.py
+@@ -157,7 +157,7 @@ SSH_PY_CODE='import base64;
+ if [ -n "$DEBUG" ]
+     then set -x
+ fi
+-PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python python3.11 python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+PYTHON_CMDS="/var/tmp/venv-salt-minion/bin/python {{PY3XX_CMD}}python3 /usr/libexec/platform-python python27 python2.7 python26 python2.6 python2 python"
+ for py_cmd in $PYTHON_CMDS
+ do
+     if command -v "$py_cmd" >/dev/null 2>&1 && "$py_cmd" -c "import sys; sys.exit(not (sys.version_info >= (2, 6)));"
+@@ -1533,6 +1533,7 @@ ARGS = {arguments}\n'''.format(
+                 SSH_PY_CODE=py_code_enc,
+                 HOST_PY_MAJOR=sys.version_info[0],
+                 SET_PATH=self.set_path,
+                PY3XX_CMD=f"python3.{sys.version_info.minor} " if sys.version_info >= (3, 11) else "",
+             )
+         else:
+             cmd = saltwinshell.gen_shim(py_code_enc)
+-- 
+2.51.0
+
Author	SHA256	Message	Date
Alexander Graul	2dcffdf050	Add fixes for several security vulnerabilities - Add minimum_auth_version to enforce security (CVE-2025-62349) - Backport security fixes for vendored tornado * BDSA-2024-3438 * BDSA-2024-3439 * BDSA-2024-9026 - Junos module yaml loader fix (CVE-2025-62348)	2025-11-26 11:53:43 +01:00
Marek Czernek	57c5c88594	fix requires	2025-11-13 15:04:55 +01:00
Marek Czernek	6de9e10eff	Fix chlog	2025-11-12 13:26:20 +01:00
Marek Czernek	0b84d8d053	Prepare for release	2025-11-12 09:18:44 +01:00