Merge branch '2016.11' into '2017.7'

Conflicts: - salt/utils/versions.py - tests/unit/modules/test_boto_elb.py - tests/unit/modules/test_boto_secgroup.py - tests/unit/states/test_boto_vpc.py
2025-04-17 10:10:20 +00:00 · 2017-08-17 09:10:31 -04:00 · 2017-08-17 09:10:31 -04:00 · 8a0f948e4a
commit 8a0f948e4a
parent 82be9dceb6 1ee9499d28
11 changed files with 85 additions and 47 deletions
--- a/doc/topics/cloud/action.rst
+++ b/doc/topics/cloud/action.rst
@ -21,7 +21,7 @@ Or you may specify a map which includes all VMs to perform the action on:

    $ salt-cloud -a reboot -m /path/to/mapfile

-The following is a list of actions currently supported by salt-cloud:
+The following is an example list of actions currently supported by ``salt-cloud``:

 .. code-block:: yaml

@ -36,5 +36,5 @@ The following is a list of actions currently supported by salt-cloud:
        - start
        - stop

-Another useful reference for viewing more salt-cloud actions is the
-:ref:Salt Cloud Feature Matrix <salt-cloud-feature-matrix>
+Another useful reference for viewing more ``salt-cloud`` actions is the
+:ref:`Salt Cloud Feature Matrix <salt-cloud-feature-matrix>`.
--- a/doc/topics/cloud/function.rst
+++ b/doc/topics/cloud/function.rst
@ -26,5 +26,5 @@ gathering information about instances on a provider basis:
    $ salt-cloud -f list_nodes_full linode
    $ salt-cloud -f list_nodes_select linode

-Another useful reference for viewing salt-cloud functions is the
+Another useful reference for viewing ``salt-cloud`` functions is the
 :ref:`Salt Cloud Feature Matrix <salt-cloud-feature-matrix>`.
--- a/doc/topics/cloud/joyent.rst
+++ b/doc/topics/cloud/joyent.rst
@ -49,7 +49,7 @@ Set up an initial profile at ``/etc/salt/cloud.profiles`` or in the

 .. code-block:: yaml

-    joyent_512
+    joyent_512:
      provider: my-joyent-config
      size: g4-highcpu-512M
      image: ubuntu-16.04
--- a/doc/topics/releases/2016.11.7.rst
+++ b/doc/topics/releases/2016.11.7.rst
@ -3,3 +3,13 @@ Salt 2016.11.7 Release Notes
 ============================

 Version 2016.11.7 is a bugfix release for :ref:`2016.11.0 <release-2016-11-0>`.
+
+Changes for v2016.11.6..v2016.11.7
+----------------------------------
+
+Security Fix
+============
+
+CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
+
+Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com
--- a/salt/cloud/clouds/nova.py
+++ b/salt/cloud/clouds/nova.py
@ -728,12 +728,18 @@ def request_instance(vm_=None, call=None):

        else:
            pool = floating_ip_conf.get('pool', 'public')
-            for fl_ip, opts in six.iteritems(conn.floating_ip_list()):
-                if opts['fixed_ip'] is None and opts['pool'] == pool:
-                    floating_ip = fl_ip
-                    break
-            if floating_ip is None:
+            try:
                floating_ip = conn.floating_ip_create(pool)['ip']
+            except Exception:
+                log.info('A new IP address was unable to be allocated. '
+                         'An IP address will be pulled from the already allocated list, '
+                         'This will cause a race condition when building in parallel.')
+                for fl_ip, opts in six.iteritems(conn.floating_ip_list()):
+                    if opts['fixed_ip'] is None and opts['pool'] == pool:
+                        floating_ip = fl_ip
+                        break
+                if floating_ip is None:
+                    log.error('No IP addresses available to allocate for this server: {0}'.format(vm_['name']))

        def __query_node_data(vm_):
            try:
--- a/salt/modules/win_pkg.py
+++ b/salt/modules/win_pkg.py
@ -1281,21 +1281,22 @@ def install(name=None, refresh=False, pkgs=None, **kwargs):
        #Compute msiexec string
        use_msiexec, msiexec = _get_msiexec(pkginfo[version_num].get('msiexec', False))

+        # Build cmd and arguments
+        # cmd and arguments must be seperated for use with the task scheduler
+        if use_msiexec:
+            cmd = msiexec
+            arguments = ['/i', cached_pkg]
+            if pkginfo['version_num'].get('allusers', True):
+                arguments.append('ALLUSERS="1"')
+            arguments.extend(salt.utils.shlex_split(install_flags))
+        else:
+            cmd = cached_pkg
+            arguments = salt.utils.shlex_split(install_flags)
+
        # Install the software
        # Check Use Scheduler Option
        if pkginfo[version_num].get('use_scheduler', False):

-            # Build Scheduled Task Parameters
-            if use_msiexec:
-                cmd = msiexec
-                arguments = ['/i', cached_pkg]
-                if pkginfo['version_num'].get('allusers', True):
-                    arguments.append('ALLUSERS="1"')
-                arguments.extend(salt.utils.shlex_split(install_flags))
-            else:
-                cmd = cached_pkg
-                arguments = salt.utils.shlex_split(install_flags)
-
            # Create Scheduled Task
            __salt__['task.create_task'](name='update-salt-software',
                                         user_name='System',
@ -1309,21 +1310,43 @@ def install(name=None, refresh=False, pkgs=None, **kwargs):
                                         start_time='01:00',
                                         ac_only=False,
                                         stop_if_on_batteries=False)
+
            # Run Scheduled Task
-            if not __salt__['task.run_wait'](name='update-salt-software'):
-                log.error('Failed to install {0}'.format(pkg_name))
-                log.error('Scheduled Task failed to run')
-                ret[pkg_name] = {'install status': 'failed'}
-        else:
-            # Build the install command
-            cmd = []
-            if use_msiexec:
-                cmd.extend([msiexec, '/i', cached_pkg])
-                if pkginfo[version_num].get('allusers', True):
-                    cmd.append('ALLUSERS="1"')
+            # Special handling for installing salt
+            if pkg_name in ['salt-minion', 'salt-minion-py3']:
+                ret[pkg_name] = {'install status': 'task started'}
+                if not __salt__['task.run'](name='update-salt-software'):
+                    log.error('Failed to install {0}'.format(pkg_name))
+                    log.error('Scheduled Task failed to run')
+                    ret[pkg_name] = {'install status': 'failed'}
+                else:
+
+                    # Make sure the task is running, try for 5 secs
+                    from time import time
+                    t_end = time() + 5
+                    while time() < t_end:
+                        task_running = __salt__['task.status'](
+                                'update-salt-software') == 'Running'
+                        if task_running:
+                            break
+
+                    if not task_running:
+                        log.error(
+                            'Failed to install {0}'.format(pkg_name))
+                        log.error('Scheduled Task failed to run')
+                        ret[pkg_name] = {'install status': 'failed'}
+
+            # All other packages run with task scheduler
            else:
-                cmd.append(cached_pkg)
-            cmd.extend(salt.utils.shlex_split(install_flags))
+                if not __salt__['task.run_wait'](name='update-salt-software'):
+                    log.error('Failed to install {0}'.format(pkg_name))
+                    log.error('Scheduled Task failed to run')
+                    ret[pkg_name] = {'install status': 'failed'}
+        else:
+
+            # Combine cmd and arguments
+            cmd = [cmd].extend(arguments)
+
            # Launch the command
            result = __salt__['cmd.run_all'](cmd,
                                             cache_path,
--- a/salt/modules/win_task.py
+++ b/salt/modules/win_task.py
@ -1259,7 +1259,7 @@ def status(name, location='\\'):
    task_service = win32com.client.Dispatch("Schedule.Service")
    task_service.Connect()

-    # get the folder to delete the folder from
+    # get the folder where the task is defined
    task_folder = task_service.GetFolder(location)
    task = task_folder.GetTask(name)

--- a/salt/utils/reactor.py
+++ b/salt/utils/reactor.py
@ -283,6 +283,9 @@ class ReactWrap(object):
                # Update called function's low data with event user to
                # segregate events fired by reactor and avoid reaction loops
                kwargs['__user__'] = self.event_user
+                # Replace ``state`` kwarg which comes from high data compiler.
+                # It breaks some runner functions and seems unnecessary.
+                kwargs['__state__'] = kwargs.pop('state')

            l_fun(*f_call.get('args', ()), **kwargs)
        except Exception:
--- a/salt/utils/schedule.py
+++ b/salt/utils/schedule.py
@ -846,6 +846,12 @@ class Schedule(object):

            ret['return'] = self.functions[func](*args, **kwargs)

+            # runners do not provide retcode
+            if 'retcode' in self.functions.pack['__context__']:
+                ret['retcode'] = self.functions.pack['__context__']['retcode']
+
+            ret['success'] = True
+
            data_returner = data.get('returner', None)
            if data_returner or self.schedule_returner:
                if 'return_config' in data:
@ -862,7 +868,6 @@ class Schedule(object):
                for returner in OrderedDict.fromkeys(rets):
                    ret_str = '{0}.returner'.format(returner)
                    if ret_str in self.returners:
-                        ret['success'] = True
                        self.returners[ret_str](ret)
                    else:
                        log.info(
@ -871,11 +876,6 @@ class Schedule(object):
                            )
                        )

-            # runners do not provide retcode
-            if 'retcode' in self.functions.pack['__context__']:
-                ret['retcode'] = self.functions.pack['__context__']['retcode']
-
-            ret['success'] = True
        except Exception:
            log.exception("Unhandled exception running {0}".format(ret['fun']))
            # Although catch-all exception handlers are bad, the exception here
--- a/salt/utils/versions.py
+++ b/salt/utils/versions.py
@ -11,7 +11,7 @@
    because on python 3 you can no longer compare strings against integers.
 '''

-# Import pytohn libs
+# Import python libs
 from __future__ import absolute_import
 # pylint: disable=blacklisted-module
 from distutils.version import StrictVersion as _StrictVersion
@ -19,7 +19,7 @@ from distutils.version import LooseVersion as _LooseVersion
 # pylint: enable=blacklisted-module

 # Import 3rd-party libs
-import salt.ext.six as six
+from salt.ext import six


 class StrictVersion(_StrictVersion):
--- a/tests/unit/states/test_boto_vpc.py
+++ b/tests/unit/states/test_boto_vpc.py
@ -11,15 +11,11 @@ from tests.support.unit import skipIf, TestCase
 from tests.support.mock import NO_MOCK, NO_MOCK_REASON, patch

 # Import Salt libs
-import salt.config
-import salt.loader
 import salt.utils.boto
 from salt.ext import six
 from salt.utils.versions import LooseVersion
 import salt.states.boto_vpc as boto_vpc

-# Import test suite libs
-
 # pylint: disable=import-error,unused-import
 from tests.unit.modules.test_boto_vpc import BotoVpcTestCaseMixin