Release v3006.5

2025-04-16 09:40:20 +00:00 · 2023-12-12 18:03:35 +00:00 · 2023-12-12 18:03:35 +00:00 · 0472fd381e
commit 0472fd381e
parent 49e9bd3693
66 changed files with 852 additions and 123 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,83 @@ Versions are `MAJOR.PATCH`.

 # Changelog

+## 3006.5 (2023-12-12)
+
+
+### Removed
+
+- Tech Debt - support for pysss removed due to functionality addition in Python 3.3 [#65029](https://github.com/saltstack/salt/issues/65029)
+
+
+### Fixed
+
+- Improved error message when state arguments are accidentally passed as a string [#38098](https://github.com/saltstack/salt/issues/38098)
+- Allow `pip.install` to create a log file that is passed in if the parent directory is writeable [#44722](https://github.com/saltstack/salt/issues/44722)
+- Fixed merging of complex pillar overrides with salt-ssh states [#59802](https://github.com/saltstack/salt/issues/59802)
+- Fixed gpg pillar rendering with salt-ssh [#60002](https://github.com/saltstack/salt/issues/60002)
+- Made salt-ssh states not re-render pillars unnecessarily [#62230](https://github.com/saltstack/salt/issues/62230)
+- Made Salt maintain options in Debian package repo definitions [#64130](https://github.com/saltstack/salt/issues/64130)
+- Migrated all [`invoke`](https://www.pyinvoke.org/) tasks to [`python-tools-scripts`](https://github.com/s0undt3ch/python-tools-scripts).
+
+  * `tasks/docs.py` -> `tools/precommit/docs.py`
+  * `tasks/docstrings.py` -> `tools/precommit/docstrings.py`
+  * `tasks/loader.py` -> `tools/precommit/loader.py`
+  * `tasks/filemap.py` -> `tools/precommit/filemap.py` [#64374](https://github.com/saltstack/salt/issues/64374)
+- Fix salt user login shell path in Debian packages [#64377](https://github.com/saltstack/salt/issues/64377)
+- Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data [#64473](https://github.com/saltstack/salt/issues/64473)
+- Fixed an issue in the ``file.directory`` state where the ``children_only`` keyword
+  argument was not being respected. [#64497](https://github.com/saltstack/salt/issues/64497)
+- Move salt.ufw to correct location /etc/ufw/applications.d/ [#64572](https://github.com/saltstack/salt/issues/64572)
+- Fixed salt-ssh stacktrace when retcode is not an integer [#64575](https://github.com/saltstack/salt/issues/64575)
+- Fixed SSH shell seldomly fails to report any exit code [#64588](https://github.com/saltstack/salt/issues/64588)
+- Fixed some issues in x509_v2 execution module private key functions [#64597](https://github.com/saltstack/salt/issues/64597)
+- Fixed grp.getgrall() in utils/user.py causing performance issues [#64888](https://github.com/saltstack/salt/issues/64888)
+- Fix user.list_groups omits remote groups via sssd, etc. [#64953](https://github.com/saltstack/salt/issues/64953)
+- Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file [#65027](https://github.com/saltstack/salt/issues/65027)
+- Moved gitfs locks to salt working dir to avoid lock wipes [#65086](https://github.com/saltstack/salt/issues/65086)
+- Only attempt to create a keys directory when `--gen-keys` is passed to the `salt-key` CLI [#65093](https://github.com/saltstack/salt/issues/65093)
+- Fix nonce verification, request server replies do not stomp on eachother. [#65114](https://github.com/saltstack/salt/issues/65114)
+- speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup. [#65152](https://github.com/saltstack/salt/issues/65152)
+- Fix pkg.latest failing on windows for winrepo packages where the package is already up to date [#65165](https://github.com/saltstack/salt/issues/65165)
+- Ensure __kwarg__ is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id. [#65179](https://github.com/saltstack/salt/issues/65179)
+- Fixes traceback when state id is an int in a reactor SLS file. [#65210](https://github.com/saltstack/salt/issues/65210)
+- Install logrotate config as /etc/logrotate.d/salt-common for Debian packages
+  Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists. [#65231](https://github.com/saltstack/salt/issues/65231)
+- Use ``sha256`` as the default ``hash_type``. It has been the default since Salt v2016.9 [#65287](https://github.com/saltstack/salt/issues/65287)
+- Preserve ownership on log rotation [#65288](https://github.com/saltstack/salt/issues/65288)
+- Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments. [#65302](https://github.com/saltstack/salt/issues/65302)
+- Uprade relenv to 0.14.2
+   - Update openssl to address CVE-2023-5363.
+   - Fix bug in openssl setup when openssl binary can't be found.
+   - Add M1 mac support. [#65316](https://github.com/saltstack/salt/issues/65316)
+- Fix regex for filespec adding/deleting fcontext policy in selinux [#65340](https://github.com/saltstack/salt/issues/65340)
+- Ensure CLI options take priority over Saltfile options [#65358](https://github.com/saltstack/salt/issues/65358)
+- Test mode for state function `saltmod.wheel` no longer set's `result` to `(None,)` [#65372](https://github.com/saltstack/salt/issues/65372)
+- Client only process events which tag conforms to an event return. [#65400](https://github.com/saltstack/salt/issues/65400)
+- Fixes an issue setting user or machine policy on Windows when the Group Policy
+  directory is missing [#65411](https://github.com/saltstack/salt/issues/65411)
+- Fix regression in file module which was not re-using a file client. [#65450](https://github.com/saltstack/salt/issues/65450)
+- pip.installed state will now properly fail when a specified user does not exists [#65458](https://github.com/saltstack/salt/issues/65458)
+- Publish channel connect callback method properly closes it's request channel. [#65464](https://github.com/saltstack/salt/issues/65464)
+- Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed [#65483](https://github.com/saltstack/salt/issues/65483)
+- Fix file.comment ignore_missing not working with multiline char [#65501](https://github.com/saltstack/salt/issues/65501)
+- Warn when an un-closed transport client is being garbage collected. [#65554](https://github.com/saltstack/salt/issues/65554)
+- Only generate the HMAC's for ``libssl.so.1.1`` and ``libcrypto.so.1.1`` if those files exist. [#65581](https://github.com/saltstack/salt/issues/65581)
+- Fixed an issue where Salt Cloud would fail if it could not delete lingering
+  PAexec binaries [#65584](https://github.com/saltstack/salt/issues/65584)
+
+
+### Added
+
+- Added Salt support for Debian 12 [#64223](https://github.com/saltstack/salt/issues/64223)
+- Added Salt support for Amazon Linux 2023 [#64455](https://github.com/saltstack/salt/issues/64455)
+
+
+### Security
+
+- Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 [#65268](https://github.com/saltstack/salt/issues/65268)
+- Bump to `cryptography==41.0.7` due to https://github.com/advisories/GHSA-jfhm-5ghh-2f97 [#65643](https://github.com/saltstack/salt/issues/65643)
+

 ## 3006.4 (2023-10-16)

--- a/changelog/38098.fixed.md
+++ b/changelog/38098.fixed.md
@ -1 +0,0 @@
-Improved error message when state arguments are accidentally passed as a string
--- a/changelog/44722.fixed.md
+++ b/changelog/44722.fixed.md
@ -1 +0,0 @@
-Allow `pip.install` to create a log file that is passed in if the parent directory is writeable
--- a/changelog/59802.fixed.md
+++ b/changelog/59802.fixed.md
@ -1 +0,0 @@
-Fixed merging of complex pillar overrides with salt-ssh states
--- a/changelog/60002.fixed.md
+++ b/changelog/60002.fixed.md
@ -1 +0,0 @@
-Fixed gpg pillar rendering with salt-ssh
--- a/changelog/62230.fixed.md
+++ b/changelog/62230.fixed.md
@ -1 +0,0 @@
-Made salt-ssh states not re-render pillars unnecessarily
--- a/changelog/64130.fixed.md
+++ b/changelog/64130.fixed.md
@ -1 +0,0 @@
-Made Salt maintain options in Debian package repo definitions
--- a/changelog/64223.added.md
+++ b/changelog/64223.added.md
@ -1 +0,0 @@
-Added Salt support for Debian 12
--- a/changelog/64374.fixed.md
+++ b/changelog/64374.fixed.md
@ -1,6 +0,0 @@
-Migrated all [`invoke`](https://www.pyinvoke.org/) tasks to [`python-tools-scripts`](https://github.com/s0undt3ch/python-tools-scripts).
-
-* `tasks/docs.py` -> `tools/precommit/docs.py`
-* `tasks/docstrings.py` -> `tools/precommit/docstrings.py`
-* `tasks/loader.py` -> `tools/precommit/loader.py`
-* `tasks/filemap.py` -> `tools/precommit/filemap.py`
--- a/changelog/64377.fixed.md
+++ b/changelog/64377.fixed.md
@ -1 +0,0 @@
-Fix salt user login shell path in Debian packages
--- a/changelog/64455.added.md
+++ b/changelog/64455.added.md
@ -1 +0,0 @@
-Added Salt support for Amazon Linux 2023
--- a/changelog/64473.fixed.md
+++ b/changelog/64473.fixed.md
@ -1 +0,0 @@
-Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data
--- a/changelog/64497.fixed.md
+++ b/changelog/64497.fixed.md
@ -1,2 +0,0 @@
-Fixed an issue in the ``file.directory`` state where the ``children_only`` keyword
-argument was not being respected.
--- a/changelog/64572.fixed.md
+++ b/changelog/64572.fixed.md
@ -1 +0,0 @@
-Move salt.ufw to correct location /etc/ufw/applications.d/
--- a/changelog/64575.fixed.md
+++ b/changelog/64575.fixed.md
@ -1 +0,0 @@
-Fixed salt-ssh stacktrace when retcode is not an integer
--- a/changelog/64588.fixed.md
+++ b/changelog/64588.fixed.md
@ -1 +0,0 @@
-Fixed SSH shell seldomly fails to report any exit code
--- a/changelog/64597.fixed.md
+++ b/changelog/64597.fixed.md
@ -1 +0,0 @@
-Fixed some issues in x509_v2 execution module private key functions
--- a/changelog/64888.fixed.md
+++ b/changelog/64888.fixed.md
@ -1 +0,0 @@
-Fixed grp.getgrall() in utils/user.py causing performance issues
--- a/changelog/64953.fixed.md
+++ b/changelog/64953.fixed.md
@ -1 +0,0 @@
-Fix user.list_groups omits remote groups via sssd, etc.
--- a/changelog/65027.fixed.md
+++ b/changelog/65027.fixed.md
@ -1 +0,0 @@
-Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file
--- a/changelog/65029.removed.md
+++ b/changelog/65029.removed.md
@ -1 +0,0 @@
-Tech Debt - support for pysss removed due to functionality addition in Python 3.3
--- a/changelog/65086.fixed.md
+++ b/changelog/65086.fixed.md
@ -1 +0,0 @@
-Moved gitfs locks to salt working dir to avoid lock wipes
--- a/changelog/65093.fixed.md
+++ b/changelog/65093.fixed.md
@ -1 +0,0 @@
-Only attempt to create a keys directory when `--gen-keys` is passed to the `salt-key` CLI
--- a/changelog/65114.fixed.md
+++ b/changelog/65114.fixed.md
@ -1 +0,0 @@
-Fix nonce verification, request server replies do not stomp on eachother.
--- a/changelog/65152.fixed.md
+++ b/changelog/65152.fixed.md
@ -1 +0,0 @@
-speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup.
--- a/changelog/65165.fixed.md
+++ b/changelog/65165.fixed.md
@ -1 +0,0 @@
-Fix pkg.latest failing on windows for winrepo packages where the package is already up to date
--- a/changelog/65179.fixed.md
+++ b/changelog/65179.fixed.md
@ -1 +0,0 @@
-Ensure __kwarg__ is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id.
--- a/changelog/65210.fixed.md
+++ b/changelog/65210.fixed.md
@ -1 +0,0 @@
-Fixes traceback when state id is an int in a reactor SLS file.
--- a/changelog/65231.fixed.md
+++ b/changelog/65231.fixed.md
@ -1,2 +0,0 @@
-Install logrotate config as /etc/logrotate.d/salt-common for Debian packages
-Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists.
--- a/changelog/65268.security.md
+++ b/changelog/65268.security.md
@ -1 +0,0 @@
-Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9
--- a/changelog/65287.fixed.md
+++ b/changelog/65287.fixed.md
@ -1 +0,0 @@
-Use ``sha256`` as the default ``hash_type``. It has been the default since Salt v2016.9
--- a/changelog/65288.fixed.md
+++ b/changelog/65288.fixed.md
@ -1 +0,0 @@
-Preserve ownership on log rotation
--- a/changelog/65302.fixed.md
+++ b/changelog/65302.fixed.md
@ -1 +0,0 @@
-Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments.
--- a/changelog/65316.fixed.md
+++ b/changelog/65316.fixed.md
@ -1,4 +0,0 @@
-Uprade relenv to 0.14.2
- - Update openssl to address CVE-2023-5363.
- - Fix bug in openssl setup when openssl binary can't be found.
- - Add M1 mac support.
--- a/changelog/65340.fixed.md
+++ b/changelog/65340.fixed.md
@ -1 +0,0 @@
-Fix regex for filespec adding/deleting fcontext policy in selinux
--- a/changelog/65358.fixed.md
+++ b/changelog/65358.fixed.md
@ -1 +0,0 @@
-Ensure CLI options take priority over Saltfile options
--- a/changelog/65372.fixed.md
+++ b/changelog/65372.fixed.md
@ -1 +0,0 @@
-Test mode for state function `saltmod.wheel` no longer set's `result` to `(None,)`
--- a/changelog/65400.fixed.md
+++ b/changelog/65400.fixed.md
@ -1 +0,0 @@
-Client only process events which tag conforms to an event return.
--- a/changelog/65411.fixed.md
+++ b/changelog/65411.fixed.md
@ -1,2 +0,0 @@
-Fixes an issue setting user or machine policy on Windows when the Group Policy
-directory is missing
--- a/changelog/65450.fixed.md
+++ b/changelog/65450.fixed.md
@ -1 +0,0 @@
-Fix regression in file module which was not re-using a file client.
--- a/changelog/65458.fixed.md
+++ b/changelog/65458.fixed.md
@ -1 +0,0 @@
-pip.installed state will now properly fail when a specified user does not exists
--- a/changelog/65464.fixed.md
+++ b/changelog/65464.fixed.md
@ -1 +0,0 @@
-Publish channel connect callback method properly closes it's request channel.
--- a/changelog/65483.fixed.md
+++ b/changelog/65483.fixed.md
@ -1 +0,0 @@
-Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed
--- a/changelog/65501.fixed.md
+++ b/changelog/65501.fixed.md
@ -1 +0,0 @@
-Fix file.comment ignore_missing not working with multiline char
--- a/changelog/65554.fixed.md
+++ b/changelog/65554.fixed.md
@ -1 +0,0 @@
-Warn when an un-closed transport client is being garbage collected.
--- a/changelog/65581.fixed.md
+++ b/changelog/65581.fixed.md
@ -1 +0,0 @@
-Only generate the HMAC's for ``libssl.so.1.1`` and ``libcrypto.so.1.1`` if those files exist.
--- a/changelog/65584.fixed.md
+++ b/changelog/65584.fixed.md
@ -1,2 +0,0 @@
-Fixed an issue where Salt Cloud would fail if it could not delete lingering
-PAexec binaries
--- a/changelog/65643.security.md
+++ b/changelog/65643.security.md
@ -1 +0,0 @@
-Bump to `cryptography==41.0.7` due to https://github.com/advisories/GHSA-jfhm-5ghh-2f97
--- a/doc/man/salt-api.1
+++ b/doc/man/salt-api.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-API" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-API" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-api \- salt-api Command
 .sp
--- a/doc/man/salt-call.1
+++ b/doc/man/salt-call.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-CALL" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-CALL" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-call \- salt-call Documentation
 .SH SYNOPSIS
--- a/doc/man/salt-cloud.1
+++ b/doc/man/salt-cloud.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-CLOUD" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-CLOUD" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-cloud \- Salt Cloud Command
 .sp
--- a/doc/man/salt-cp.1
+++ b/doc/man/salt-cp.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-CP" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-CP" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-cp \- salt-cp Documentation
 .sp
--- a/doc/man/salt-key.1
+++ b/doc/man/salt-key.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-KEY" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-KEY" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-key \- salt-key Documentation
 .SH SYNOPSIS
--- a/doc/man/salt-master.1
+++ b/doc/man/salt-master.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-MASTER" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-MASTER" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-master \- salt-master Documentation
 .sp
--- a/doc/man/salt-minion.1
+++ b/doc/man/salt-minion.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-MINION" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-MINION" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-minion \- salt-minion Documentation
 .sp
--- a/doc/man/salt-proxy.1
+++ b/doc/man/salt-proxy.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-PROXY" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-PROXY" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-proxy \- salt-proxy Documentation
 .sp
--- a/doc/man/salt-run.1
+++ b/doc/man/salt-run.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-RUN" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-RUN" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-run \- salt-run Documentation
 .sp
--- a/doc/man/salt-ssh.1
+++ b/doc/man/salt-ssh.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-SSH" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-SSH" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-ssh \- salt-ssh Documentation
 .SH SYNOPSIS
--- a/doc/man/salt-syndic.1
+++ b/doc/man/salt-syndic.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT-SYNDIC" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT-SYNDIC" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt-syndic \- salt-syndic Documentation
 .sp
--- a/doc/man/salt.1
+++ b/doc/man/salt.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt \- salt
 .SH SYNOPSIS
--- a/doc/man/salt.7
+++ b/doc/man/salt.7
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SALT" "7" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SALT" "7" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 salt \- Salt Documentation
 .SH SALT PROJECT
@ -1404,6 +1404,9 @@ If someone isn\(aqt an expert in this area, what will they need to know?
 .sp
 This will also help you out, because when you go to create the PR it
 will automatically insert the body of your commit messages.
+.sp
+See the \fI\%changelog\fP
+docs for more information.
 .SS Pull request time!
 .sp
 Once you\(aqve done all your dev work and tested locally, you should check
@ -7880,6 +7883,13 @@ log_level: warning
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+Any log level below the \fIinfo\fP level is INSECURE and may log sensitive data. This currently includes:
+#. profile
+#. debug
+#. trace
+#. garbage
+#. all
 .SS \fBlog_level_logfile\fP
 .sp
 Default: \fBwarning\fP
@ -7897,6 +7907,13 @@ log_level_logfile: warning
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+Any log level below the \fIinfo\fP level is INSECURE and may log sensitive data. This currently includes:
+#. profile
+#. debug
+#. trace
+#. garbage
+#. all
 .SS \fBlog_datefmt\fP
 .sp
 Default: \fB%H:%M:%S\fP
@ -12644,6 +12661,13 @@ log_level: warning
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+Any log level below the \fIinfo\fP level is INSECURE and may log sensitive data. This currently includes:
+#. profile
+#. debug
+#. trace
+#. garbage
+#. all
 .SS \fBlog_level_logfile\fP
 .sp
 Default: \fBwarning\fP
@ -12661,6 +12685,13 @@ log_level_logfile: warning
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+Any log level below the \fIinfo\fP level is INSECURE and may log sensitive data. This currently includes:
+#. profile
+#. debug
+#. trace
+#. garbage
+#. all
 .SS \fBlog_datefmt\fP
 .sp
 Default: \fB%H:%M:%S\fP
@ -15144,7 +15175,7 @@ For reference, see:
 # One of \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, info\(aq, \(aqwarning\(aq, \(aqerror\(aq, \(aqcritical\(aq.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# [\(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq]
+# [\(aqprofile\(aq, \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, \(aqall\(aq]
 #
 #log_level: warning

@ -16125,7 +16156,7 @@ For reference, see:
 # One of \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, \(aqinfo\(aq, \(aqwarning\(aq, \(aqerror\(aq, \(aqcritical\(aq.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# [\(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq]
+# [\(aqprofile\(aq, \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, \(aqall\(aq]
 #
 # Default: \(aqwarning\(aq
 #log_level: warning
@ -16836,7 +16867,7 @@ For reference, see:
 # One of \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, \(aqinfo\(aq, \(aqwarning\(aq, \(aqerror\(aq, \(aqcritical\(aq.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# [\(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq]
+# [\(aqprofile\(aq, \(aqgarbage\(aq, \(aqtrace\(aq, \(aqdebug\(aq, \(aqall\(aq]
 #
 # Default: \(aqwarning\(aq
 #log_level: warning
@ -19003,6 +19034,13 @@ Everything
 T}
 _
 .TE
+.sp
+Any log level below the \fIinfo\fP level is INSECURE and may log sensitive data. This currently includes:
+#. profile
+#. debug
+#. trace
+#. garbage
+#. all
 .SS Available Configuration Settings
 .SS \fBlog_file\fP
 .sp
@ -23710,7 +23748,7 @@ most secure setup, only connect syndics directly to master of masters.
 .INDENT 0.0
 .TP
 .B email
-\fI\%saltproject-security.pdl@broadcom.com\fP
+\fI\%saltproject\-security.pdl@broadcom.com\fP
 .TP
 .B gpg key ID
 4EA0793D
@ -23831,7 +23869,7 @@ fwPKmQ2cKnCBs5ASj1DkgUcz2c8DTUPVqg==
 .UNINDENT
 .UNINDENT
 .sp
-The SaltStack Security Team is available at \fI\%saltproject-security.pdl@broadcom.com\fP for
+The SaltStack Security Team is available at \fI\%saltproject\-security.pdl@broadcom.com\fP for
 security\-related bug reports or questions.
 .sp
 We request the disclosure of any security\-related bugs or issues be reported
@ -23845,7 +23883,7 @@ seriously. Our disclosure policy is intended to resolve security issues as
 quickly and safely as is possible.
 .INDENT 0.0
 .IP 1. 3
-A security report sent to \fI\%saltproject-security.pdl@broadcom.com\fP is assigned to a team
+A security report sent to \fI\%saltproject\-security.pdl@broadcom.com\fP is assigned to a team
 member. This person is the primary contact for questions and will
 coordinate the fix, release, and announcement.
 .IP 2. 3
@ -57834,7 +57872,7 @@ jim_nologin:
 .UNINDENT
 .UNINDENT

-.SS Creates
+.SS creates
 .sp
 New in version 3001.

@ -85544,6 +85582,243 @@ tools pkg build windows \-\-salt\-version <salt\-version> \-\-arch <arch>
 .sp
 The python library is available in the install directory of the onedir package. For example
 on linux the default location would be \fB/opt/saltstack/salt/bin/python3\fP\&.
+.SS Testing the packages
+.sp
+If you want to test your built packages, or any other collection of salt packages post 3006.0, follow \fI\%this guide\fP
+.SS Testing packages
+.SS The package test suite
+.sp
+The salt repo provides a test suite for testing basic functionality of our
+packages at \fB<repo\-root>/pkg/tests/\fP\&. You can run the install, upgrade, and
+downgrade tests. These tests run automatically on most PRs that are submitted
+against Salt.
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+These tests make destructive changes to your system because they install the
+built packages onto the system. They may also install older versions in the
+case of upgrades or downgrades. To prevent destructive changes, run the
+tests in an isolated system, preferably a virtual machine.
+.UNINDENT
+.UNINDENT
+.SS Setup
+.sp
+In order to run the package tests, the \fI\%relenv\fP onedir and
+built packages need to be placed in the correct locations.
+.INDENT 0.0
+.IP \(bu 2
+Place all salt packages for the applicable testing version in
+\fB<repo\-root>/pkg/artifacts/\fP\&.
+.IP \(bu 2
+The onedir must be located under \fB<repo\-root>/artifacts/\fP\&.
+.IP \(bu 2
+Additionally, to ensure complete parity with Salt\(aqs CI/CD suite, place the
+\fBnox\fP virtual environment in \fB<repo\-root>/.nox/test\-pkgs\-onedir\fP\&.
+.UNINDENT
+.sp
+The following are a few ways this can be accomplished easily.
+.sp
+You can ensure parity by installing the package test suite through a few
+possible methods:
+.INDENT 0.0
+.IP \(bu 2
+Using \fBtools\fP
+.IP \(bu 2
+Downloading individually
+.UNINDENT
+.SS Using \fBtools\fP
+.sp
+Salt has preliminary support for setting up the package test suite in the
+\fBtools\fP command suite that is located under \fB<repo\-root>/tools/testsuite/\fP\&.
+This method requires the Github CLI tool \fBgh\fP (\fI\%https://cli.github.com/\fP) to be properly configured for
+interaction with the salt repo.
+.INDENT 0.0
+.IP 1. 3
+Install the dependencies using this command:
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+pip install \-r requirements/static/ci/py{python_version}/tools.txt
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Download and extract the artifacts with this \fBtools\fP command:
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+tools ts setup \-\-platform {linux|darwin|windows} \-\-slug
+<operating\-system\-slug> \-\-pr <pr\-number> \-\-pkg
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The most common use case is to test the packages built on a CI/CD run for a
+given PR. To see the possible options for each argument, and other ways to
+utilize this command, use the following:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+tools ts setup \-h
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+You can only download artifacts from finished workflow runs. This is something
+imposed by the GitHub API.
+To download artifacts from a running workflow run, you either have to wait for
+the finish or cancel it.
+.UNINDENT
+.UNINDENT
+.SS Downloading individually
+.sp
+If the \fBtools ts setup\fP command doesn\(aqt work, you can download, unzip, and
+place the artifacts in the correct locations manually. Typically, you want to
+test packages built on a CI/CD run for a given PR. This guide explains how to
+set up for running the package tests using those artifacts. An analogous process
+can be performed for artifacts from nightly builds.
+.INDENT 0.0
+.IP 1. 3
+Find and download the artifacts:
+.INDENT 3.0
+.INDENT 3.5
+Under the summary page for the most recent actions run for that PR, there is
+a list of available artifacts from that run that can be downloaded. Download
+the package artifacts by finding
+\fBsalt\-<major>.<minor>+<number>.<sha>\-<arch>\-<pkg\-type>\fP\&.  For example, the
+amd64 deb packages might look like:
+\fBsalt\-3006.2+123.01234567890\-x86_64\-deb\fP\&.
+.sp
+The onedir artifact will look like
+\fBsalt\-<major>.<minor>+<number>.<sha>\-onedir\-<platform>\-<arch>.tar.xz\fP\&. For
+instance, the macos x86_64 onedir may have the name
+\fBsalt\-3006.2+123.01234567890\-onedir\-darwin\-x86_64.tar.xz\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Windows onedir artifacts have \fB\&.zip\fP extensions instead of \fBtar.xz\fP
+.UNINDENT
+.UNINDENT
+.sp
+While it is optional, it is recommended to download the \fBnox\fP session
+artifact as well.  This will have the form of
+\fBnox\-<os\-name>\-test\-pkgs\-onedir\-<arch>\fP\&. The amd64 Ubuntu 20.04 nox
+artifact may look like \fBnox\-ubuntu\-20.04\-test\-pkgs\-onedir\-x86_64\fP\&.
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Place the artifacts in the correct location:
+.INDENT 3.0
+.INDENT 3.5
+Unzip the packages and place them in \fB<repo\-root>/pkg/artifacts/\fP\&.
+.sp
+You must unzip and untar the onedir packages and place them in
+\fB<repo\-root>/artifacts/\fP\&. Windows onedir requires an additional unzip
+action. If you set it up correctly, the \fB<repo\-root>/artifacts/salt\fP
+directory then contains the uncompressed onedir files.
+.sp
+Additionally, decompress the \fBnox\fP artifact and place it under
+\fB<repo\-root>/.nox/\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Running the tests
+.sp
+You can run the test suite run if all the artifacts are in the correct location.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+You need root access to run the test artifacts. Run all nox commands at the
+root of the salt repo and as the root user.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.IP 1. 3
+Install \fBnox\fP:
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+pip install nox
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 2. 3
+Run the install tests:
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+nox \-e test\-pkgs\-onedir \-\- install
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.IP 3. 3
+Run the upgrade or downgrade tests:
+.INDENT 3.0
+.INDENT 3.5
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+nox \-e test\-pkgs\-onedir \-\- upgrade \-\-prev\-version <previous\-version>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can run the downgrade tests in the same way, replacing \fBupgrade\fP with
+\fBdowngrade\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+If you are testing upgrades or downgrades and classic packages are
+available for your system, replace \fBupgrade\fP or
+\fBdowngrade\fP with \fBupgrade\-classic\fP or \fBdowngrade\-classic\fP
+respectively to test against those versions.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
 .SH COMMAND LINE REFERENCE
 .SS salt\-api
 .SS \fBsalt\-api\fP
@ -88275,19 +88550,6 @@ The Python interface to PAM does not support authenticating as \fBroot\fP\&.
 \fBNOTE:\fP
 .INDENT 0.0
 .INDENT 3.5
-Using PAM groups with SSSD groups on python2.
-.sp
-To use sssd with the PAM eauth module and groups the \fIpysss\fP module is
-needed.  On RedHat/CentOS this is \fIpython\-sss\fP\&.
-.sp
-This should not be needed with python >= 3.3, because the \fIos\fP modules has the
-\fIgetgrouplist\fP function.
-.UNINDENT
-.UNINDENT
-.sp
-\fBNOTE:\fP
-.INDENT 0.0
-.INDENT 3.5
 This module executes itself in a subprocess in order to user the system python
 and pam libraries. We do this to avoid openssl version conflicts when
 running under a salt onedir build.
@ -194128,7 +194390,7 @@ Passes through all the parameters described in the
 \fI\%utils.http.query function\fP:
 .INDENT 7.0
 .TP
-.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3006.4\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs)
+.B salt.utils.http.query(url, method=\(aqGET\(aq, params=None, data=None, data_file=None, header_dict=None, header_list=None, header_file=None, username=None, password=None, auth=None, decode=False, decode_type=\(aqauto\(aq, status=False, headers=False, text=False, cookies=None, cookie_jar=None, cookie_format=\(aqlwp\(aq, persist_session=False, session_cookie_jar=None, data_render=False, data_renderer=None, header_render=False, header_renderer=None, template_dict=None, test=False, test_url=None, node=\(aqminion\(aq, port=80, opts=None, backend=None, ca_bundle=None, verify_ssl=None, cert=None, text_out=None, headers_out=None, decode_out=None, stream=False, streaming_callback=None, header_callback=None, handle=False, agent=\(aqSalt/3006.5\(aq, hide_fields=None, raise_error=True, formdata=False, formdata_fieldname=None, formdata_filename=None, decode_body=True, **kwargs)
 Query a resource, and decode the return data
 .UNINDENT
 .INDENT 7.0
@ -261773,7 +262035,9 @@ Accepts either :all: to disable all binary packages, :none: to empty the set,
 or one or more package names with commas between them
 .TP
 .B log
-Log file where a complete (maximum verbosity) record will be kept
+Log file where a complete (maximum verbosity) record will be kept.
+If this file doesn\(aqt exist and the parent directory is writeable,
+it will be created.
 .TP
 .B proxy
 Specify a proxy in the form \fBuser:passwd@proxy.server:port\fP\&. Note
@ -320458,7 +320722,7 @@ CLI Example:
 .sp
 .nf
 .ft C
-salt \(aq*\(aq file.chpgrp c:\etemp\etest.txt administrators
+salt \(aq*\(aq file.chgrp c:\etemp\etest.txt administrators
 .ft P
 .fi
 .UNINDENT
@ -337948,8 +338212,8 @@ When encoding a certificate as \fBpkcs12\fP, a name for the certificate can be i
 Instead of returning the certificate, write it to this file path.
 .TP
 .B overwrite
-If \fBpath\fP is specified and the file exists, do not overwrite it.
-Defaults to false.
+If \fBpath\fP is specified and the file exists, overwrite it.
+Defaults to true.
 .TP
 .B raw
 Return the encoded raw bytes instead of a string. Defaults to false.
@ -338406,7 +338670,7 @@ Available: \fBrsa\fP, \fBec\fP, \fBed25519\fP, \fBed448\fP\&. Defaults to \fBrsa
 .B keysize
 For \fBrsa\fP, specifies the bitlength of the private key (2048, 3072, 4096).
 For \fBec\fP, specifies the NIST curve to use (256, 384, 521).
-Irrelevant for Edwards\-curve schemes (\fIed25519\(ga\fP, \fBed448\fP).
+Irrelevant for Edwards\-curve schemes (\fBed25519\fP, \fBed448\fP).
 Defaults to 2048 for RSA and 256 for EC.
 .TP
 .B passphrase
@ -338559,7 +338823,7 @@ Return the encoded raw bytes instead of a string. Defaults to false.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B salt.modules.x509_v2.encode_private_key(private_key, encoding=\(aqpem\(aq, passphrase=None, pkcs12_encryption_compat=False, raw=False)
+.B salt.modules.x509_v2.encode_private_key(private_key, encoding=\(aqpem\(aq, passphrase=None, private_key_passphrase=None, pkcs12_encryption_compat=False, raw=False)
 Create an encoded representation of a private key.
 .sp
 CLI Example:
@ -338575,7 +338839,7 @@ salt \(aq*\(aq x509.encode_private_key /etc/pki/my.key der
 .UNINDENT
 .INDENT 7.0
 .TP
-.B csr
+.B private_key
 The private key to encode.
 .TP
 .B encoding
@ -338583,6 +338847,24 @@ Specify the encoding of the resulting private key. It can be returned
 as a \fBpem\fP string, base64\-encoded \fBder\fP and base64\-encoded \fBpkcs12\fP\&.
 Defaults to \fBpem\fP\&.
 .TP
+.B passphrase
+If this is specified, the private key will be encrypted using this
+passphrase. The encryption algorithm cannot be selected, it will be
+determined automatically as the best available one.
+.TP
+.B private_key_passphrase
+New in version 3006.2.
+
+.sp
+If the current \fBprivate_key\fP is encrypted, the passphrase to
+decrypt it.
+.TP
+.B pkcs12_encryption_compat
+Some operating systems are incompatible with the encryption defaults
+for PKCS12 used since OpenSSL v3. This switch triggers a fallback to
+\fBPBESv1SHA1And3KeyTripleDESCBC\fP\&.
+Please consider the \fI\%notes on PKCS12 encryption\fP\&.
+.TP
 .B raw
 Return the encoded raw bytes instead of a string. Defaults to false.
 .UNINDENT
@ -354046,7 +354328,7 @@ curl \-sSi localhost:8000/minions \e
 POST /minions HTTP/1.1
 Host: localhost:8000
 Accept: application/x\-yaml
-Content\-Type: application/json
+Content\-Type: application/x\-www\-form\-urlencoded

 tgt=*&fun=status.diskusage
 .ft P
@ -406792,6 +407074,9 @@ specified either using \fBrepo:tag\fP notation, or just the repo name (in
 which case a tag of \fBlatest\fP is assumed).
 .INDENT 7.0
 .TP
+.B name
+The name of the docker image.
+.TP
 .B images
 Run this state on more than one image at a time. The following two
 examples accomplish the same thing:
@ -406831,7 +407116,6 @@ all the deletions in a single run, rather than executing the state
 separately on each image (as it would in the first example).
 .TP
 .B force
-False
 Salt will fail to remove any images currently in use by a container.
 Set this option to true to remove the image even if it is already
 present.
@ -406908,6 +407192,9 @@ myuser/myimage:
 .UNINDENT
 .INDENT 7.0
 .TP
+.B name
+The name of the docker image.
+.TP
 .B tag
 Tag name for the image. Required when using \fBbuild\fP, \fBload\fP, or
 \fBsls\fP to create the image, but optional if pulling from a repository.
@ -406967,10 +407254,13 @@ Changed in version 2018.3.0: The \fBtag\fP must be manually specified using the

 .TP
 .B force
-False
 Set this parameter to \fBTrue\fP to force Salt to pull/build/load the
 image even if it is already present.
 .TP
+.B insecure_registry
+If \fBTrue\fP, the Docker client will permit the use of insecure
+(non\-HTTPS) registries.
+.TP
 .B client_timeout
 Timeout in seconds for the Docker client. This is not a timeout for
 the state, but for receiving a response from the API.
@ -407049,6 +407339,10 @@ Values passed this way will override Pillar values set via
 .sp
 New in version 2018.3.0.

+.TP
+.B kwargs
+Additional keyword arguments to pass to
+\fI\%docker.build\fP
 .UNINDENT
 .UNINDENT
 .SS salt.states.docker_network
@ -455896,7 +456190,7 @@ Create CA private key:
    \- keysize: 4096
    \- backup: true
    \- require:
-      \- file: /etc/pki
+      \- file: /etc/pki/issued_certs

 Create self\-signed CA certificate:
  x509.certificate_managed:
@ -456375,7 +456669,7 @@ Available: \fBrsa\fP, \fBec\fP, \fBed25519\fP, \fBed448\fP\&. Defaults to \fBrsa
 .B keysize
 For \fBrsa\fP, specifies the bitlength of the private key (2048, 3072, 4096).
 For \fBec\fP, specifies the NIST curve to use (256, 384, 521).
-Irrelevant for Edwards\-curve schemes (\fIed25519\(ga\fP, \fBed448\fP).
+Irrelevant for Edwards\-curve schemes (\fBed25519\fP, \fBed448\fP).
 Defaults to 2048 for RSA and 256 for EC.
 .TP
 .B passphrase
@ -457626,7 +457920,7 @@ installed2
 .UNINDENT
 .INDENT 0.0
 .TP
-.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/opt/actions\-runner/_work/salt\-priv/salt\-priv/.tools\-venvs/py3.10/docs/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs)
+.B salt.states.zcbuildout.installed(name, config=\(aqbuildout.cfg\(aq, quiet=False, parts=None, user=None, env=(), buildout_ver=None, test_release=False, distribute=None, new_st=None, offline=False, newest=False, python=\(aq/opt/actions\-runner/_work/salt/salt/.tools\-venvs/py3.10/docs/bin/python\(aq, debug=False, verbose=False, unless=None, onlyif=None, use_vt=False, loglevel=\(aqdebug\(aq, **kwargs)
 Install buildout in a specific directory
 .sp
 It is a thin wrapper to modules.buildout.buildout
@ -461812,7 +462106,7 @@ to execute those modules instead.
 Each module type has a corresponding loader function.
 .INDENT 0.0
 .TP
-.B salt.loader.minion_mods(opts, context=None, utils=None, whitelist=None, initial_load=False, loaded_base_name=None, notify=False, static_modules=None, proxy=None)
+.B salt.loader.minion_mods(opts, context=None, utils=None, whitelist=None, initial_load=False, loaded_base_name=None, notify=False, static_modules=None, proxy=None, file_client=None)
 Load execution modules
 .sp
 Returns a dictionary of execution modules appropriate for the current
@ -461905,7 +462199,7 @@ testmod[\(aqtest.ping\(aq]()
 .UNINDENT
 .INDENT 0.0
 .TP
-.B salt.loader.states(opts, functions, utils, serializers, whitelist=None, proxy=None, context=None, loaded_base_name=None)
+.B salt.loader.states(opts, functions, utils, serializers, whitelist=None, proxy=None, context=None, loaded_base_name=None, file_client=None)
 Returns the state modules
 .INDENT 7.0
 .TP
@ -467324,6 +467618,9 @@ If someone isn\(aqt an expert in this area, what will they need to know?
 .sp
 This will also help you out, because when you go to create the PR it
 will automatically insert the body of your commit messages.
+.sp
+See the \fI\%changelog\fP
+docs for more information.
 .SS Pull request time!
 .sp
 Once you\(aqve done all your dev work and tested locally, you should check
@ -469623,13 +469920,9 @@ The following dunder dictionaries are always defined, but may be empty
 .UNINDENT
 .SS __opts__
 .sp
-\&..versionchanged:: 3006.0
-.INDENT 0.0
-.INDENT 3.5
-The \fB__opts__\fP dictionary can now be accessed via
+Changed in version 3006.0: The \fB__opts__\fP dictionary can now be accessed via
 \fBcontext\(ga\fP\&.
-.UNINDENT
-.UNINDENT
+
 .sp
 Defined in: All modules
 .sp
@ -469723,13 +470016,6 @@ When running an execution module \fB__context__\fP persists across all module
 executions until the modules are refreshed; such as when
 \fI\%saltutil.sync_all\fP or
 \fI\%state.apply\fP are executed.
-.sp
-A great place to see how to use \fB__context__\fP is in the cp.py module in
-salt/modules/cp.py. The fileclient authenticates with the master when it is
-instantiated and then is used to copy files to the minion. Rather than create a
-new fileclient for each file that is to be copied down, one instance of the
-fileclient is instantiated in the \fB__context__\fP dictionary and is reused for
-each file. Here is an example from salt/modules/cp.py:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@ -469784,6 +470070,14 @@ Defined in: State
 .SS __sdb__
 .sp
 Defined in: SDB
+.SS __file_client__
+.sp
+Changed in version 3006.5.
+
+.sp
+The \fB__file_client__\fP dunder was added to states and execution modules. This
+enables the use of a file client without haveing to instantiate one in
+the module.
 .SS Configuration Options
 .sp
 A number of configuration options can affect the load process. This is a quick
@ -477575,6 +477869,137 @@ Bump to \fBurllib3==1.26.17\fP or \fBurllib3==2.0.6\fP due to \fI\%https://githu
 .IP \(bu 2
 Bump to \fBgitpython==3.1.37\fP due to \fI\%https://github.com/advisories/GHSA\-cwvm\-v4w8\-q58c\fP \fI\%#65383\fP
 .UNINDENT
+(release\-3006.5)=
+.SS Salt 3006.5 release notes
+.SS Changelog
+.SS Removed
+.INDENT 0.0
+.IP \(bu 2
+Tech Debt \- support for pysss removed due to functionality addition in Python 3.3 \fI\%#65029\fP
+.UNINDENT
+.SS Fixed
+.INDENT 0.0
+.IP \(bu 2
+Improved error message when state arguments are accidentally passed as a string \fI\%#38098\fP
+.IP \(bu 2
+Allow \fBpip.install\fP to create a log file that is passed in if the parent directory is writeable \fI\%#44722\fP
+.IP \(bu 2
+Fixed merging of complex pillar overrides with salt\-ssh states \fI\%#59802\fP
+.IP \(bu 2
+Fixed gpg pillar rendering with salt\-ssh \fI\%#60002\fP
+.IP \(bu 2
+Made salt\-ssh states not re\-render pillars unnecessarily \fI\%#62230\fP
+.IP \(bu 2
+Made Salt maintain options in Debian package repo definitions \fI\%#64130\fP
+.IP \(bu 2
+Migrated all \fI\%invoke\fP tasks to \fI\%python\-tools\-scripts\fP\&.
+.INDENT 2.0
+.IP \(bu 2
+\fBtasks/docs.py\fP \-> \fBtools/precommit/docs.py\fP
+.IP \(bu 2
+\fBtasks/docstrings.py\fP \-> \fBtools/precommit/docstrings.py\fP
+.IP \(bu 2
+\fBtasks/loader.py\fP \-> \fBtools/precommit/loader.py\fP
+.IP \(bu 2
+\fBtasks/filemap.py\fP \-> \fBtools/precommit/filemap.py\fP \fI\%#64374\fP
+.UNINDENT
+.IP \(bu 2
+Fix salt user login shell path in Debian packages \fI\%#64377\fP
+.IP \(bu 2
+Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data \fI\%#64473\fP
+.IP \(bu 2
+Fixed an issue in the \fBfile.directory\fP state where the \fBchildren_only\fP keyword
+argument was not being respected. \fI\%#64497\fP
+.IP \(bu 2
+Move salt.ufw to correct location /etc/ufw/applications.d/ \fI\%#64572\fP
+.IP \(bu 2
+Fixed salt\-ssh stacktrace when retcode is not an integer \fI\%#64575\fP
+.IP \(bu 2
+Fixed SSH shell seldomly fails to report any exit code \fI\%#64588\fP
+.IP \(bu 2
+Fixed some issues in x509_v2 execution module private key functions \fI\%#64597\fP
+.IP \(bu 2
+Fixed grp.getgrall() in utils/user.py causing performance issues \fI\%#64888\fP
+.IP \(bu 2
+Fix user.list_groups omits remote groups via sssd, etc. \fI\%#64953\fP
+.IP \(bu 2
+Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file \fI\%#65027\fP
+.IP \(bu 2
+Moved gitfs locks to salt working dir to avoid lock wipes \fI\%#65086\fP
+.IP \(bu 2
+Only attempt to create a keys directory when \fB\-\-gen\-keys\fP is passed to the \fBsalt\-key\fP CLI \fI\%#65093\fP
+.IP \(bu 2
+Fix nonce verification, request server replies do not stomp on eachother. \fI\%#65114\fP
+.IP \(bu 2
+speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup. \fI\%#65152\fP
+.IP \(bu 2
+Fix pkg.latest failing on windows for winrepo packages where the package is already up to date \fI\%#65165\fP
+.IP \(bu 2
+Ensure \fBkwarg\fP is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id. \fI\%#65179\fP
+.IP \(bu 2
+Fixes traceback when state id is an int in a reactor SLS file. \fI\%#65210\fP
+.IP \(bu 2
+Install logrotate config as /etc/logrotate.d/salt\-common for Debian packages
+Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists. \fI\%#65231\fP
+.IP \(bu 2
+Use \fBsha256\fP as the default \fBhash_type\fP\&. It has been the default since Salt v2016.9 \fI\%#65287\fP
+.IP \(bu 2
+Preserve ownership on log rotation \fI\%#65288\fP
+.IP \(bu 2
+Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments. \fI\%#65302\fP
+.IP \(bu 2
+Uprade relenv to 0.14.2
+.INDENT 2.0
+.IP \(bu 2
+Update openssl to address CVE\-2023\-5363.
+.IP \(bu 2
+Fix bug in openssl setup when openssl binary can\(aqt be found.
+.IP \(bu 2
+Add M1 mac support. \fI\%#65316\fP
+.UNINDENT
+.IP \(bu 2
+Fix regex for filespec adding/deleting fcontext policy in selinux \fI\%#65340\fP
+.IP \(bu 2
+Ensure CLI options take priority over Saltfile options \fI\%#65358\fP
+.IP \(bu 2
+Test mode for state function \fBsaltmod.wheel\fP no longer set\(aqs \fBresult\fP to \fB(None,)\fP \fI\%#65372\fP
+.IP \(bu 2
+Client only process events which tag conforms to an event return. \fI\%#65400\fP
+.IP \(bu 2
+Fixes an issue setting user or machine policy on Windows when the Group Policy
+directory is missing \fI\%#65411\fP
+.IP \(bu 2
+Fix regression in file module which was not re\-using a file client. \fI\%#65450\fP
+.IP \(bu 2
+pip.installed state will now properly fail when a specified user does not exists \fI\%#65458\fP
+.IP \(bu 2
+Publish channel connect callback method properly closes it\(aqs request channel. \fI\%#65464\fP
+.IP \(bu 2
+Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed \fI\%#65483\fP
+.IP \(bu 2
+Fix file.comment ignore_missing not working with multiline char \fI\%#65501\fP
+.IP \(bu 2
+Warn when an un\-closed transport client is being garbage collected. \fI\%#65554\fP
+.IP \(bu 2
+Only generate the HMAC\(aqs for \fBlibssl.so.1.1\fP and \fBlibcrypto.so.1.1\fP if those files exist. \fI\%#65581\fP
+.IP \(bu 2
+Fixed an issue where Salt Cloud would fail if it could not delete lingering
+PAexec binaries \fI\%#65584\fP
+.UNINDENT
+.SS Added
+.INDENT 0.0
+.IP \(bu 2
+Added Salt support for Debian 12 \fI\%#64223\fP
+.IP \(bu 2
+Added Salt support for Amazon Linux 2023 \fI\%#64455\fP
+.UNINDENT
+.SS Security
+.INDENT 0.0
+.IP \(bu 2
+Bump to \fBcryptography==41.0.4\fP due to \fI\%https://github.com/advisories/GHSA\-v8gr\-m533\-ghj9\fP \fI\%#65268\fP
+.IP \(bu 2
+Bump to \fBcryptography==41.0.7\fP due to \fI\%https://github.com/advisories/GHSA\-jfhm\-5ghh\-2f97\fP \fI\%#65643\fP
+.UNINDENT
 .sp
 See \fI\%Install a release candidate\fP
 for more information about installing an RC when one is available.
@ -478536,6 +478961,34 @@ Bump to \fIcertifi==2023.07.22\fP due to \fI\%https://github.com/advisories/GHSA
 .sp
 Python 3.5 cannot get the updated requirements since certifi no longer supports this python version (#64720)
 .UNINDENT
+.SS Salt 3005.3 Release Notes
+.sp
+Version 3005.3 is a Bug fix release for \fI\%3005\fP\&.
+.SS Changed
+.INDENT 0.0
+.IP \(bu 2
+Fix __env__ and improve cache cleaning see more info at pull #65017. (#65002)
+.UNINDENT
+.SS Security
+.INDENT 0.0
+.IP \(bu 2
+Update to \fIgitpython>=3.1.35\fP due to \fI\%https://github.com/advisories/GHSA\-wfm5\-v35h\-vwf4\fP and \fI\%https://github.com/advisories/GHSA\-cwvm\-v4w8\-q58c\fP (#65167)
+.UNINDENT
+.SS Salt 3005.4 Release Notes
+.sp
+Version 3005.4 is a CVE security fix release for \fI\%3005\fP\&.
+.SS Security
+.INDENT 0.0
+.IP \(bu 2
+Fix CVE\-2023\-34049 by ensuring we do not use a predictable name for the script and correctly check returncode of scp command.
+This only impacts salt\-ssh users using the pre\-flight option. (cve\-2023\-34049)
+.IP \(bu 2
+Bump to \fIcryptography==41.0.4\fP due to \fI\%https://github.com/advisories/GHSA\-v8gr\-m533\-ghj9\fP (#65267)
+.IP \(bu 2
+Bump to \fIurllib3==1.26.17\fP or \fIurllib3==2.0.6\fP due to \fI\%https://github.com/advisories/GHSA\-v845\-jxx5\-vc9f\fP (#65334)
+.IP \(bu 2
+Bump to \fIgitpython==3.1.37\fP due to \fI\%https://github.com/advisories/GHSA\-cwvm\-v4w8\-q58c\fP (#65383)
+.UNINDENT
 .SS Salt 3004 Release Notes \- Codename Silicon
 .SS New Features
 .SS Transactional System Support (MicroOS)
--- a/doc/man/spm.1
+++ b/doc/man/spm.1
@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SPM" "1" "Generated on October 16, 2023 at 05:24:47 PM UTC." "3006.4" "Salt"
+.TH "SPM" "1" "Generated on December 12, 2023 at 05:54:17 PM UTC." "3006.5" "Salt"
 .SH NAME
 spm \- Salt Package Manager Command
 .sp
--- a/doc/topics/releases/3006.5.md
+++ b/doc/topics/releases/3006.5.md
@ -0,0 +1,93 @@
+(release-3006.5)=
+# Salt 3006.5 release notes
+
+<!---
+Do not edit this file. This is auto generated.
+Edit the templates in doc/topics/releases/templates/
+for a given release.
+-->
+
+
+<!--
+Add release specific details below
+-->
+
+<!--
+Do not edit the changelog below.
+This is auto generated.
+-->
+## Changelog
+
+### Removed
+
+- Tech Debt - support for pysss removed due to functionality addition in Python 3.3 [#65029](https://github.com/saltstack/salt/issues/65029)
+
+
+### Fixed
+
+- Improved error message when state arguments are accidentally passed as a string [#38098](https://github.com/saltstack/salt/issues/38098)
+- Allow `pip.install` to create a log file that is passed in if the parent directory is writeable [#44722](https://github.com/saltstack/salt/issues/44722)
+- Fixed merging of complex pillar overrides with salt-ssh states [#59802](https://github.com/saltstack/salt/issues/59802)
+- Fixed gpg pillar rendering with salt-ssh [#60002](https://github.com/saltstack/salt/issues/60002)
+- Made salt-ssh states not re-render pillars unnecessarily [#62230](https://github.com/saltstack/salt/issues/62230)
+- Made Salt maintain options in Debian package repo definitions [#64130](https://github.com/saltstack/salt/issues/64130)
+- Migrated all [`invoke`](https://www.pyinvoke.org/) tasks to [`python-tools-scripts`](https://github.com/s0undt3ch/python-tools-scripts).
+
+  * `tasks/docs.py` -> `tools/precommit/docs.py`
+  * `tasks/docstrings.py` -> `tools/precommit/docstrings.py`
+  * `tasks/loader.py` -> `tools/precommit/loader.py`
+  * `tasks/filemap.py` -> `tools/precommit/filemap.py` [#64374](https://github.com/saltstack/salt/issues/64374)
+- Fix salt user login shell path in Debian packages [#64377](https://github.com/saltstack/salt/issues/64377)
+- Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data [#64473](https://github.com/saltstack/salt/issues/64473)
+- Fixed an issue in the ``file.directory`` state where the ``children_only`` keyword
+  argument was not being respected. [#64497](https://github.com/saltstack/salt/issues/64497)
+- Move salt.ufw to correct location /etc/ufw/applications.d/ [#64572](https://github.com/saltstack/salt/issues/64572)
+- Fixed salt-ssh stacktrace when retcode is not an integer [#64575](https://github.com/saltstack/salt/issues/64575)
+- Fixed SSH shell seldomly fails to report any exit code [#64588](https://github.com/saltstack/salt/issues/64588)
+- Fixed some issues in x509_v2 execution module private key functions [#64597](https://github.com/saltstack/salt/issues/64597)
+- Fixed grp.getgrall() in utils/user.py causing performance issues [#64888](https://github.com/saltstack/salt/issues/64888)
+- Fix user.list_groups omits remote groups via sssd, etc. [#64953](https://github.com/saltstack/salt/issues/64953)
+- Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file [#65027](https://github.com/saltstack/salt/issues/65027)
+- Moved gitfs locks to salt working dir to avoid lock wipes [#65086](https://github.com/saltstack/salt/issues/65086)
+- Only attempt to create a keys directory when `--gen-keys` is passed to the `salt-key` CLI [#65093](https://github.com/saltstack/salt/issues/65093)
+- Fix nonce verification, request server replies do not stomp on eachother. [#65114](https://github.com/saltstack/salt/issues/65114)
+- speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup. [#65152](https://github.com/saltstack/salt/issues/65152)
+- Fix pkg.latest failing on windows for winrepo packages where the package is already up to date [#65165](https://github.com/saltstack/salt/issues/65165)
+- Ensure __kwarg__ is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id. [#65179](https://github.com/saltstack/salt/issues/65179)
+- Fixes traceback when state id is an int in a reactor SLS file. [#65210](https://github.com/saltstack/salt/issues/65210)
+- Install logrotate config as /etc/logrotate.d/salt-common for Debian packages
+  Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists. [#65231](https://github.com/saltstack/salt/issues/65231)
+- Use ``sha256`` as the default ``hash_type``. It has been the default since Salt v2016.9 [#65287](https://github.com/saltstack/salt/issues/65287)
+- Preserve ownership on log rotation [#65288](https://github.com/saltstack/salt/issues/65288)
+- Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments. [#65302](https://github.com/saltstack/salt/issues/65302)
+- Uprade relenv to 0.14.2
+   - Update openssl to address CVE-2023-5363.
+   - Fix bug in openssl setup when openssl binary can't be found.
+   - Add M1 mac support. [#65316](https://github.com/saltstack/salt/issues/65316)
+- Fix regex for filespec adding/deleting fcontext policy in selinux [#65340](https://github.com/saltstack/salt/issues/65340)
+- Ensure CLI options take priority over Saltfile options [#65358](https://github.com/saltstack/salt/issues/65358)
+- Test mode for state function `saltmod.wheel` no longer set's `result` to `(None,)` [#65372](https://github.com/saltstack/salt/issues/65372)
+- Client only process events which tag conforms to an event return. [#65400](https://github.com/saltstack/salt/issues/65400)
+- Fixes an issue setting user or machine policy on Windows when the Group Policy
+  directory is missing [#65411](https://github.com/saltstack/salt/issues/65411)
+- Fix regression in file module which was not re-using a file client. [#65450](https://github.com/saltstack/salt/issues/65450)
+- pip.installed state will now properly fail when a specified user does not exists [#65458](https://github.com/saltstack/salt/issues/65458)
+- Publish channel connect callback method properly closes it's request channel. [#65464](https://github.com/saltstack/salt/issues/65464)
+- Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed [#65483](https://github.com/saltstack/salt/issues/65483)
+- Fix file.comment ignore_missing not working with multiline char [#65501](https://github.com/saltstack/salt/issues/65501)
+- Warn when an un-closed transport client is being garbage collected. [#65554](https://github.com/saltstack/salt/issues/65554)
+- Only generate the HMAC's for ``libssl.so.1.1`` and ``libcrypto.so.1.1`` if those files exist. [#65581](https://github.com/saltstack/salt/issues/65581)
+- Fixed an issue where Salt Cloud would fail if it could not delete lingering
+  PAexec binaries [#65584](https://github.com/saltstack/salt/issues/65584)
+
+
+### Added
+
+- Added Salt support for Debian 12 [#64223](https://github.com/saltstack/salt/issues/64223)
+- Added Salt support for Amazon Linux 2023 [#64455](https://github.com/saltstack/salt/issues/64455)
+
+
+### Security
+
+- Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 [#65268](https://github.com/saltstack/salt/issues/65268)
+- Bump to `cryptography==41.0.7` due to https://github.com/advisories/GHSA-jfhm-5ghh-2f97 [#65643](https://github.com/saltstack/salt/issues/65643)
--- a/doc/topics/releases/templates/3006.5.md.template
+++ b/doc/topics/releases/templates/3006.5.md.template
@ -0,0 +1,14 @@
+(release-3006.5)=
+# Salt 3006.5 release notes{{ unreleased }}
+{{ warning }}
+
+<!--
+Add release specific details below
+-->
+
+<!--
+Do not edit the changelog below.
+This is auto generated.
+-->
+## Changelog
+{{ changelog }}
--- a/pkg/debian/changelog
+++ b/pkg/debian/changelog
@ -1,3 +1,80 @@
+salt (3006.5) stable; urgency=medium
+
+
+  # Removed
+
+  * Tech Debt - support for pysss removed due to functionality addition in Python 3.3 [#65029](https://github.com/saltstack/salt/issues/65029)
+
+  # Fixed
+
+  * Improved error message when state arguments are accidentally passed as a string [#38098](https://github.com/saltstack/salt/issues/38098)
+  * Allow `pip.install` to create a log file that is passed in if the parent directory is writeable [#44722](https://github.com/saltstack/salt/issues/44722)
+  * Fixed merging of complex pillar overrides with salt-ssh states [#59802](https://github.com/saltstack/salt/issues/59802)
+  * Fixed gpg pillar rendering with salt-ssh [#60002](https://github.com/saltstack/salt/issues/60002)
+  * Made salt-ssh states not re-render pillars unnecessarily [#62230](https://github.com/saltstack/salt/issues/62230)
+  * Made Salt maintain options in Debian package repo definitions [#64130](https://github.com/saltstack/salt/issues/64130)
+  * Migrated all [`invoke`](https://www.pyinvoke.org/) tasks to [`python-tools-scripts`](https://github.com/s0undt3ch/python-tools-scripts).
+
+    * `tasks/docs.py` *> `tools/precommit/docs.py`
+    * `tasks/docstrings.py` *> `tools/precommit/docstrings.py`
+    * `tasks/loader.py` *> `tools/precommit/loader.py`
+    * `tasks/filemap.py` *> `tools/precommit/filemap.py` [#64374](https://github.com/saltstack/salt/issues/64374)
+  * Fix salt user login shell path in Debian packages [#64377](https://github.com/saltstack/salt/issues/64377)
+  * Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data [#64473](https://github.com/saltstack/salt/issues/64473)
+  * Fixed an issue in the ``file.directory`` state where the ``children_only`` keyword
+    argument was not being respected. [#64497](https://github.com/saltstack/salt/issues/64497)
+  * Move salt.ufw to correct location /etc/ufw/applications.d/ [#64572](https://github.com/saltstack/salt/issues/64572)
+  * Fixed salt-ssh stacktrace when retcode is not an integer [#64575](https://github.com/saltstack/salt/issues/64575)
+  * Fixed SSH shell seldomly fails to report any exit code [#64588](https://github.com/saltstack/salt/issues/64588)
+  * Fixed some issues in x509_v2 execution module private key functions [#64597](https://github.com/saltstack/salt/issues/64597)
+  * Fixed grp.getgrall() in utils/user.py causing performance issues [#64888](https://github.com/saltstack/salt/issues/64888)
+  * Fix user.list_groups omits remote groups via sssd, etc. [#64953](https://github.com/saltstack/salt/issues/64953)
+  * Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file [#65027](https://github.com/saltstack/salt/issues/65027)
+  * Moved gitfs locks to salt working dir to avoid lock wipes [#65086](https://github.com/saltstack/salt/issues/65086)
+  * Only attempt to create a keys directory when `--gen-keys` is passed to the `salt-key` CLI [#65093](https://github.com/saltstack/salt/issues/65093)
+  * Fix nonce verification, request server replies do not stomp on eachother. [#65114](https://github.com/saltstack/salt/issues/65114)
+  * speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup. [#65152](https://github.com/saltstack/salt/issues/65152)
+  * Fix pkg.latest failing on windows for winrepo packages where the package is already up to date [#65165](https://github.com/saltstack/salt/issues/65165)
+  * Ensure __kwarg__ is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id. [#65179](https://github.com/saltstack/salt/issues/65179)
+  * Fixes traceback when state id is an int in a reactor SLS file. [#65210](https://github.com/saltstack/salt/issues/65210)
+  * Install logrotate config as /etc/logrotate.d/salt-common for Debian packages
+    Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists. [#65231](https://github.com/saltstack/salt/issues/65231)
+  * Use ``sha256`` as the default ``hash_type``. It has been the default since Salt v2016.9 [#65287](https://github.com/saltstack/salt/issues/65287)
+  * Preserve ownership on log rotation [#65288](https://github.com/saltstack/salt/issues/65288)
+  * Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments. [#65302](https://github.com/saltstack/salt/issues/65302)
+  * Uprade relenv to 0.14.2
+     * Update openssl to address CVE-2023-5363.
+     * Fix bug in openssl setup when openssl binary can't be found.
+     * Add M1 mac support. [#65316](https://github.com/saltstack/salt/issues/65316)
+  * Fix regex for filespec adding/deleting fcontext policy in selinux [#65340](https://github.com/saltstack/salt/issues/65340)
+  * Ensure CLI options take priority over Saltfile options [#65358](https://github.com/saltstack/salt/issues/65358)
+  * Test mode for state function `saltmod.wheel` no longer set's `result` to `(None,)` [#65372](https://github.com/saltstack/salt/issues/65372)
+  * Client only process events which tag conforms to an event return. [#65400](https://github.com/saltstack/salt/issues/65400)
+  * Fixes an issue setting user or machine policy on Windows when the Group Policy
+    directory is missing [#65411](https://github.com/saltstack/salt/issues/65411)
+  * Fix regression in file module which was not re-using a file client. [#65450](https://github.com/saltstack/salt/issues/65450)
+  * pip.installed state will now properly fail when a specified user does not exists [#65458](https://github.com/saltstack/salt/issues/65458)
+  * Publish channel connect callback method properly closes it's request channel. [#65464](https://github.com/saltstack/salt/issues/65464)
+  * Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed [#65483](https://github.com/saltstack/salt/issues/65483)
+  * Fix file.comment ignore_missing not working with multiline char [#65501](https://github.com/saltstack/salt/issues/65501)
+  * Warn when an un-closed transport client is being garbage collected. [#65554](https://github.com/saltstack/salt/issues/65554)
+  * Only generate the HMAC's for ``libssl.so.1.1`` and ``libcrypto.so.1.1`` if those files exist. [#65581](https://github.com/saltstack/salt/issues/65581)
+  * Fixed an issue where Salt Cloud would fail if it could not delete lingering
+    PAexec binaries [#65584](https://github.com/saltstack/salt/issues/65584)
+
+  # Added
+
+  * Added Salt support for Debian 12 [#64223](https://github.com/saltstack/salt/issues/64223)
+  * Added Salt support for Amazon Linux 2023 [#64455](https://github.com/saltstack/salt/issues/64455)
+
+  # Security
+
+  * Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 [#65268](https://github.com/saltstack/salt/issues/65268)
+  * Bump to `cryptography==41.0.7` due to https://github.com/advisories/GHSA-jfhm-5ghh-2f97 [#65643](https://github.com/saltstack/salt/issues/65643)
+
+
+ -- Salt Project Packaging <saltproject-packaging@vmware.com>  Tue, 12 Dec 2023 17:52:33 +0000
+
 salt (3006.4) stable; urgency=medium


--- a/pkg/rpm/salt.spec
+++ b/pkg/rpm/salt.spec
@ -31,7 +31,7 @@
 %define fish_dir %{_datadir}/fish/vendor_functions.d

 Name:    salt
-Version: 3006.4
+Version: 3006.5
 Release: 0
 Summary: A parallel remote execution system
 Group:   System Environment/Daemons
@ -583,6 +583,80 @@ fi


 %changelog
+* Tue Dec 12 2023 Salt Project Packaging <saltproject-packaging@vmware.com> - 3006.5
+
+# Removed
+
+- Tech Debt - support for pysss removed due to functionality addition in Python 3.3 [#65029](https://github.com/saltstack/salt/issues/65029)
+
+# Fixed
+
+- Improved error message when state arguments are accidentally passed as a string [#38098](https://github.com/saltstack/salt/issues/38098)
+- Allow `pip.install` to create a log file that is passed in if the parent directory is writeable [#44722](https://github.com/saltstack/salt/issues/44722)
+- Fixed merging of complex pillar overrides with salt-ssh states [#59802](https://github.com/saltstack/salt/issues/59802)
+- Fixed gpg pillar rendering with salt-ssh [#60002](https://github.com/saltstack/salt/issues/60002)
+- Made salt-ssh states not re-render pillars unnecessarily [#62230](https://github.com/saltstack/salt/issues/62230)
+- Made Salt maintain options in Debian package repo definitions [#64130](https://github.com/saltstack/salt/issues/64130)
+- Migrated all [`invoke`](https://www.pyinvoke.org/) tasks to [`python-tools-scripts`](https://github.com/s0undt3ch/python-tools-scripts).
+
+  * `tasks/docs.py` -> `tools/precommit/docs.py`
+  * `tasks/docstrings.py` -> `tools/precommit/docstrings.py`
+  * `tasks/loader.py` -> `tools/precommit/loader.py`
+  * `tasks/filemap.py` -> `tools/precommit/filemap.py` [#64374](https://github.com/saltstack/salt/issues/64374)
+- Fix salt user login shell path in Debian packages [#64377](https://github.com/saltstack/salt/issues/64377)
+- Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data [#64473](https://github.com/saltstack/salt/issues/64473)
+- Fixed an issue in the ``file.directory`` state where the ``children_only`` keyword
+  argument was not being respected. [#64497](https://github.com/saltstack/salt/issues/64497)
+- Move salt.ufw to correct location /etc/ufw/applications.d/ [#64572](https://github.com/saltstack/salt/issues/64572)
+- Fixed salt-ssh stacktrace when retcode is not an integer [#64575](https://github.com/saltstack/salt/issues/64575)
+- Fixed SSH shell seldomly fails to report any exit code [#64588](https://github.com/saltstack/salt/issues/64588)
+- Fixed some issues in x509_v2 execution module private key functions [#64597](https://github.com/saltstack/salt/issues/64597)
+- Fixed grp.getgrall() in utils/user.py causing performance issues [#64888](https://github.com/saltstack/salt/issues/64888)
+- Fix user.list_groups omits remote groups via sssd, etc. [#64953](https://github.com/saltstack/salt/issues/64953)
+- Ensure sync from _grains occurs before attempting pillar compilation in case custom grain used in pillar file [#65027](https://github.com/saltstack/salt/issues/65027)
+- Moved gitfs locks to salt working dir to avoid lock wipes [#65086](https://github.com/saltstack/salt/issues/65086)
+- Only attempt to create a keys directory when `--gen-keys` is passed to the `salt-key` CLI [#65093](https://github.com/saltstack/salt/issues/65093)
+- Fix nonce verification, request server replies do not stomp on eachother. [#65114](https://github.com/saltstack/salt/issues/65114)
+- speed up yumpkg list_pkgs by not requiring digest or signature verification on lookup. [#65152](https://github.com/saltstack/salt/issues/65152)
+- Fix pkg.latest failing on windows for winrepo packages where the package is already up to date [#65165](https://github.com/saltstack/salt/issues/65165)
+- Ensure __kwarg__ is preserved when checking for kwargs.  This change affects proxy minions when used with Deltaproxy, which had kwargs popped when targeting multiple minions id. [#65179](https://github.com/saltstack/salt/issues/65179)
+- Fixes traceback when state id is an int in a reactor SLS file. [#65210](https://github.com/saltstack/salt/issues/65210)
+- Install logrotate config as /etc/logrotate.d/salt-common for Debian packages
+  Remove broken /etc/logrotate.d/salt directory from 3006.3 if it exists. [#65231](https://github.com/saltstack/salt/issues/65231)
+- Use ``sha256`` as the default ``hash_type``. It has been the default since Salt v2016.9 [#65287](https://github.com/saltstack/salt/issues/65287)
+- Preserve ownership on log rotation [#65288](https://github.com/saltstack/salt/issues/65288)
+- Ensure that the correct value of jid_inclue is passed if the argument is included in the passed keyword arguments. [#65302](https://github.com/saltstack/salt/issues/65302)
+- Uprade relenv to 0.14.2
+   - Update openssl to address CVE-2023-5363.
+   - Fix bug in openssl setup when openssl binary can't be found.
+   - Add M1 mac support. [#65316](https://github.com/saltstack/salt/issues/65316)
+- Fix regex for filespec adding/deleting fcontext policy in selinux [#65340](https://github.com/saltstack/salt/issues/65340)
+- Ensure CLI options take priority over Saltfile options [#65358](https://github.com/saltstack/salt/issues/65358)
+- Test mode for state function `saltmod.wheel` no longer set's `result` to `(None,)` [#65372](https://github.com/saltstack/salt/issues/65372)
+- Client only process events which tag conforms to an event return. [#65400](https://github.com/saltstack/salt/issues/65400)
+- Fixes an issue setting user or machine policy on Windows when the Group Policy
+  directory is missing [#65411](https://github.com/saltstack/salt/issues/65411)
+- Fix regression in file module which was not re-using a file client. [#65450](https://github.com/saltstack/salt/issues/65450)
+- pip.installed state will now properly fail when a specified user does not exists [#65458](https://github.com/saltstack/salt/issues/65458)
+- Publish channel connect callback method properly closes it's request channel. [#65464](https://github.com/saltstack/salt/issues/65464)
+- Ensured the pillar in SSH wrapper modules is the same as the one used in template rendering when overrides are passed [#65483](https://github.com/saltstack/salt/issues/65483)
+- Fix file.comment ignore_missing not working with multiline char [#65501](https://github.com/saltstack/salt/issues/65501)
+- Warn when an un-closed transport client is being garbage collected. [#65554](https://github.com/saltstack/salt/issues/65554)
+- Only generate the HMAC's for ``libssl.so.1.1`` and ``libcrypto.so.1.1`` if those files exist. [#65581](https://github.com/saltstack/salt/issues/65581)
+- Fixed an issue where Salt Cloud would fail if it could not delete lingering
+  PAexec binaries [#65584](https://github.com/saltstack/salt/issues/65584)
+
+# Added
+
+- Added Salt support for Debian 12 [#64223](https://github.com/saltstack/salt/issues/64223)
+- Added Salt support for Amazon Linux 2023 [#64455](https://github.com/saltstack/salt/issues/64455)
+
+# Security
+
+- Bump to `cryptography==41.0.4` due to https://github.com/advisories/GHSA-v8gr-m533-ghj9 [#65268](https://github.com/saltstack/salt/issues/65268)
+- Bump to `cryptography==41.0.7` due to https://github.com/advisories/GHSA-jfhm-5ghh-2f97 [#65643](https://github.com/saltstack/salt/issues/65643)
+
+
 * Mon Oct 16 2023 Salt Project Packaging <saltproject-packaging@vmware.com> - 3006.4

 # Security
				`@ -1 +0,0 @@`
				`Improved error message when state arguments are accidentally passed as a string`
				`@ -1 +0,0 @@`
				Allow `pip.install` to create a log file that is passed in if the parent directory is writeable
				`@ -1 +0,0 @@`
				`Fixed merging of complex pillar overrides with salt-ssh states`
				`@ -1 +0,0 @@`
				`Made salt-ssh states not re-render pillars unnecessarily`
				`@ -1 +0,0 @@`
				`Made Salt maintain options in Debian package repo definitions`
				`@ -1 +0,0 @@`
				`Fix salt user login shell path in Debian packages`
				`@ -1 +0,0 @@`
				`Fill out lsb_distrib_xxxx (best estimate) grains if problems with retrieving lsb_release data`
				`@ -1 +0,0 @@`
				`Move salt.ufw to correct location /etc/ufw/applications.d/`
				`@ -1 +0,0 @@`
				`Fixed salt-ssh stacktrace when retcode is not an integer`
				`@ -1 +0,0 @@`
				`Fixed SSH shell seldomly fails to report any exit code`