(release-3006.24)=
Salt 3006.24 release notes#
Changelog#
Fixed#
Fixed inotify file descriptor leak in beacons. When beacons are refreshed (e.g. during module refresh or pillar refresh), the old beacon modules are now properly closed before creating new ones, preventing exhaustion of the inotify instance limit. Also fixed beacon delete not calling the beacon's close function, causing resource leaks and CPU spin after deleting beacons at runtime via
beacons.delete. #66449Fixed x509_v2.certificate_managed state fails if another state.apply is queued #66929
Fixed x509_v2 private_key_managed failing on Windows due to default
modeargument #66942Windows LGPO / audit policy: Advanced audit policy is now read and applied through the Windows security API (AuditQuerySystemPolicy / AuditSetSystemPolicy) instead of parsing auditpol.exe output, so behavior no longer depends on the system locale. #68354
Decouple the pub timeout from opts timeout. Programatic useage of client now has a 30 second timeout. #68597
Fix salt-call and salt-pip to honor configured user for privilege dropping #68684
Fix
mac_brew_pkg.list_pkgscrashing or producing incorrect results when Homebrew returnsnullvalues for cask metadata:When the installed version of a cask is
null(e.g. Homebrew cannot determine the installed version), it is now reported as"unknown"instead of raising an error.When
full_tokenisnull, it is now filtered out so thatNoneis never used as a package name key in the returned dictionary. #68763
Prevented generation of spurious ppbt toolchain in /root/.local on RPM upgrade
Stale pycache files now get cleaned up on RPM upgrade #68781
Ensure Salt file and directory ownership is correctly detected and preserved when upgrading RPM and Debian packages, particularly when running Salt as a non-root user. #68793
Upgrade relenv to 0.22.5 which pin's openssl to an LTS version (3.5.x) #68803
Patch the vendored tornado version to account for CVE patches that have been applied. #68820
Made x509_v2 certificate_managed respect
copypathandprepend_cnparameters #68828Upgrade pyopenssl to >= 26.0.0
CVE-2026-27459
CVE-2026-27448 #68832
Patch tornado for BDSA-2025-60810 #68853
Patch tornado for BDSA-2026-3867 #68854
Fixed source package builds (DEB/RPM) failing with
LookupError: hatchling is already being builtby addinghatchlingto the--only-binaryallow-list so pip uses its universal wheel instead of attempting a circular source build. #68858Upgrade relenv to 0.22.7
Upgread Python Versions 3.12.13, 3.11.15, 3.10.20
CVE-2024-6923: Header injection in email module
CVE-2026-24515, CVE-2026-25210, CVE-2025-59375: XML memory amplification and libexpat vulnerabilities
SQLite 3.51.3.0
CVE-2025-70873: Heap memory disclosure in zipfile extension
CVE-2025-7709: Integer overflow in FTS5 extension
Fixes WAL-reset bug preventing database corruption
XZ Utils 5.8.3
CVE-2026-34743: Buffer overflow in lzma_index_append()
Expat 2.7.5
CVE-2026-32776: NULL pointer dereference in external parameter entities
CVE-2026-32777: Infinite loop in entityValueProcessor
CVE-2026-32778: NULL pointer dereference during OOM recovery #68884
Minion properly closes pub channel when authentication to the master failes, prevents leaking file handles. #68901
Patch tornado for BDSA-2026-6522 #68920
Perl 5.42.2.1 CVE-2026-4176: Memory corruption in Compress::Raw::Zlib core module CVE-2026-3381 / CVE-2026-27171: zlib vulnerabilities within compression capabilities OpenSSL 3.5.6 CVE-2026-31790: Leakage from uninitialized memory in RSA KEM RSASVE CVE-2026-2673: Loss of key agreement group tuple structure CVE-2026-28387: Potential use-after-free in DANE client code CVE-2026-28388: DoS via NULL pointer dereference in delta CRL processing CVE-2026-31789: Heap buffer overflow in hexadecimal conversion CVE-2026-28389 / CVE-2026-28390: NULL pointer dereferences in CMS processing SQLite 3.53.0.0 CVE-2025-6965: High-severity memory corruption flaw in aggregate terms #68986