(release-3006.17)=

Salt 3006.17 release notes

Changelog

Fixed

  • Render post/pre up/down and hwaddr options for debian-ip. See #58210 and #57820. #58210

  • Fix event flood by ensuring we do not retry sending the event indefinitely to the Master of Masters. #61845

  • Prevent _pygit2.GitError: error loading known_hosts with certain pygit2/libgit2 versions. #64121

    • salt-ssh now supports state.sls_exists (#66893) #66893

  • Allows file.symlink to pass a string to cmd_check #66939

  • Simplied and sped up utils.json.find_json function #68258

  • Improved runtime performance of chocolatey.installed #68308

  • Add check for vault in opts var #68312

  • Fixed user.present not having capability to persist home directory by adding persist_home flag. #68322

  • Fixed pkg.installed state from showing warning if python rpm package not installed. Fixed pkg.installed state from showing warning and using slow process fork for version comparison when rpmdevtools is installed #68341

  • Update pre-commit version used in github workflows to 4.3.0 #68349

  • Fixed issue with network grains in interfaces that don't support ip4 or ip6 #68355

  • Patch tornado for BDSA-2024-3438 #68377

  • Patch tornado for BDSA-2024-3439 #68379

  • Patch tornado for BDSA-2025-4215 #68381

  • Patch tornado for BDSA-2024-9026 #68383

    • Update LZMA to 5.8.2

    • Update ncurses to 6.5

    • Update openssl to 3.5.4

    • Fix shebang creating to work with pip >=25.2

    • Fix python source hash checking

    • Update to recent python versions: 3.12.12, 3.11.14, 3.10.19 and 3.9.24. #68385

  • Fixed the lgpo_reg error when reading REG_BINARY type data in the registry.pol file. #68387

  • Fix leak in SaltMessageServer where the unpacker was re-used on a stream disconnect. #68394

    • Upgrade relenv to 0.21.2:

      • We refresh the ensurepip bundle during every build so new runtimes ship with pip 25.2 and setuptools 80.9.0.

      • Windows builds now pull newer SQLite (3.50.4.0) and XZ (5.6.2) sources, copy in a missing XZ config file, and tweak SBOM metadata; the libexpat update is prepared but only runs on older maintenance releases.

      • Our downloader helpers log more clearly, know about more archive formats, and retry cleanly on transient errors.

      • pip’s changing install API is handled by runtime wrappers that adapt to all of the current signatures.

      • Linux verification tests install pip 25.2/25.3 before building setuptools to make sure that flow keeps working. #68431

  • salt/utils/odict.py has been deprecated and will be removed in 3009. Use the standard library implementation instead. #68440

  • Fixed issue in cmd execution module that always return "Invalid user" for domain users. #68450

  • Fixed authentication protocol version downgrade vulnerability (CVE-2025-62349) by adding minimum_auth_version configuration option (default: 3) to prevent minions from bypassing security features through protocol downgrade attacks.

    BREAKING CHANGE: The default value enforces authentication protocol version 3 or higher. If upgrading a deployment with older minions that do not support protocol v3, you must temporarily set minimum_auth_version: 0 in the master configuration before upgrading the master, then upgrade all minions before removing this override. #68467

  • Fixed unsafe YAML loader usage in junos execution module (CVE-2025-62348) #68469

Generated on November 20, 2025 at 19:17:19 UTC.

You are viewing docs for the previous stable release, 3006.17. Switch to docs for the latest stable release, 3007.9, or to a recent doc build from the master branch.


saltproject.io

© 2025 VMware, Inc. | Privacy Policy