salt/doc/topics/releases/3005.2.rst

Salt 3005.2 Release Notes

Version 3005.2 is a CVE security fix release for 3005 <release-3005>.

Changed

• Additional required package upgrades
  • It's now pyzmq>=20.0.0 on all platforms, and <=22.0.3 just for windows.
  • Upgrade to pyopenssl==23.0.0 due to the cryptography upgrade. (#63757)

Security

• fix CVE-2023-20897 by catching exception instead of letting exception disrupt connection (cve-2023-20897)

• Fixed gitfs cachedir_basename to avoid hash collisions. Added MP Lock to gitfs. These changes should stop race conditions. (cve-2023-20898)

• Upgrade to requests==2.31.0

  Due to:

  • https://github.com/advisories/GHSA-j8r2-6x86-q33q (#64336)

• Upgrade to cryptography==41.0.3(and therefor pyopenssl==23.2.0 due to https://github.com/advisories/GHSA-jm77-qphf-c4w8)

  Also resolves the following cryptography advisories:

  Due to:

  • https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
  • https://github.com/advisories/GHSA-x4qr-2fvf-3mr5
  • https://github.com/advisories/GHSA-w7pp-m8wf-vj6r

  There is no security upgrade available for Py3.5 (#64595)

• Bump to certifi==2023.07.22 due to https://github.com/advisories/GHSA-xqr8-7jwr-rhp7

  Python 3.5 cannot get the updated requirements since certifi no longer supports this python version (#64720)