Salt 3006.24 release notes¶

Fixed¶

• Fixed inotify file descriptor leak in beacons. When beacons are refreshed (e.g. during module refresh or pillar refresh), the old beacon modules are now properly closed before creating new ones, preventing exhaustion of the inotify instance limit. Also fixed beacon delete not calling the beacon's close function, causing resource leaks and CPU spin after deleting beacons at runtime via beacons.delete. #66449

• Fixed x509_v2.certificate_managed state fails if another state.apply is queued #66929

• Fixed x509_v2 private_key_managed failing on Windows due to default mode argument #66942

• Windows LGPO / audit policy: Advanced audit policy is now read and applied through the Windows security API (AuditQuerySystemPolicy / AuditSetSystemPolicy) instead of parsing auditpol.exe output, so behavior no longer depends on the system locale. #68354

• Decouple the pub timeout from opts timeout. Programatic useage of client now has a 30 second timeout. #68597

• Fix salt-call and salt-pip to honor configured user for privilege dropping #68684

• Fix mac_brew_pkg.list_pkgs crashing or producing incorrect results when Homebrew returns null values for cask metadata:

  • When the installed version of a cask is null (e.g. Homebrew cannot determine the installed version), it is now reported as "unknown" instead of raising an error.

  • When full_token is null, it is now filtered out so that None is never used as a package name key in the returned dictionary. #68763

• • Prevented generation of spurious ppbt toolchain in /root/.local on RPM upgrade

  • Stale pycache files now get cleaned up on RPM upgrade #68781

• Ensure Salt file and directory ownership is correctly detected and preserved when upgrading RPM and Debian packages, particularly when running Salt as a non-root user. #68793

• Upgrade relenv to 0.22.5 which pin's openssl to an LTS version (3.5.x) #68803

• Patch the vendored tornado version to account for CVE patches that have been applied. #68820

• Made x509_v2 certificate_managed respect copypath and prepend_cn parameters #68828

• Upgrade pyopenssl to >= 26.0.0

  • CVE-2026-27459

  • CVE-2026-27448 #68832

• Patch tornado for BDSA-2025-60810 #68853

• Patch tornado for BDSA-2026-3867 #68854

• Fixed source package builds (DEB/RPM) failing with LookupError: hatchling is already being built by adding hatchling to the --only-binary allow-list so pip uses its universal wheel instead of attempting a circular source build. #68858

• Upgrade relenv to 0.22.7

  • Upgread Python Versions 3.12.13, 3.11.15, 3.10.20

    • CVE-2024-6923: Header injection in email module

    • CVE-2026-24515, CVE-2026-25210, CVE-2025-59375: XML memory amplification and libexpat vulnerabilities

  • SQLite 3.51.3.0

    • CVE-2025-70873: Heap memory disclosure in zipfile extension

    • CVE-2025-7709: Integer overflow in FTS5 extension

    • Fixes WAL-reset bug preventing database corruption

  • XZ Utils 5.8.3

    • CVE-2026-34743: Buffer overflow in lzma_index_append()

  • Expat 2.7.5

    • CVE-2026-32776: NULL pointer dereference in external parameter entities

    • CVE-2026-32777: Infinite loop in entityValueProcessor

    • CVE-2026-32778: NULL pointer dereference during OOM recovery #68884

• Minion properly closes pub channel when authentication to the master failes, prevents leaking file handles. #68901

• Patch tornado for BDSA-2026-6522 #68920

• Perl 5.42.2.1 CVE-2026-4176: Memory corruption in Compress::Raw::Zlib core module CVE-2026-3381 / CVE-2026-27171: zlib vulnerabilities within compression capabilities OpenSSL 3.5.6 CVE-2026-31790: Leakage from uninitialized memory in RSA KEM RSASVE CVE-2026-2673: Loss of key agreement group tuple structure CVE-2026-28387: Potential use-after-free in DANE client code CVE-2026-28388: DoS via NULL pointer dereference in delta CRL processing CVE-2026-31789: Heap buffer overflow in hexadecimal conversion CVE-2026-28389 / CVE-2026-28390: NULL pointer dereferences in CMS processing SQLite 3.53.0.0 CVE-2025-6965: High-severity memory corruption flaw in aggregate terms #68986