CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com
Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):
*Generated at: 2017-07-26T01:09:40Z*
Statistics:
- Total Merges: **11**
- Total Issue references: **9**
- Total PR references: **22**
Changes:
-**PR**`#42548`_: (*gtmanfred*) pass in empty kwarg for reactor
@ *2017-07-26T00:41:20Z*
-**ISSUE**`#460`_: (*whiteinge*) Add a topic and a ref for modules/states/returners/renderers/runners
| refs: `#42548`_
* 711b742c54 Merge pull request `#42548`_ from gtmanfred/2017.7.1
* 0257c1dc32 pass in empty kwarg for reactor
* b948e980d2 update chunk, not kwarg in chunk
-**PR**`#42522`_: (*gtmanfred*) pacman wildcard is only for repository installs
@ *2017-07-24T20:51:05Z*
-**ISSUE**`#42519`_: (*xuhcc*) Error when installing package from file under Arch Linux
| refs: `#42522`_
* 50c1635dcc Merge pull request `#42522`_ from gtmanfred/2017.7.1
* 7787fb9e1b pacman wildcard is only for repository installs
-**PR**`#42508`_: (*rallytime*) Back-port `#42474`_ to 2017.7.1
@ *2017-07-24T20:49:51Z*
-**PR**`#42474`_: (*whiteinge*) Cmd arg kwarg parsing test
| refs: `#42508`_
-**PR**`#39646`_: (*terminalmage*) Handle deprecation of passing string args to load_args_and_kwargs
| refs: `#42474`_
* 05c07ac049 Merge pull request `#42508`_ from rallytime/`bp-42474`_
* 76fb074433 Add a test.arg variant that cleans the pub kwargs by default
* 624f63648e Lint fixes
* d246a5fc61 Add back support for string kwargs
* 854e098aa0 Add LocalClient.cmd test for arg/kwarg parsing
-**PR**`#42472`_: (*rallytime*) Back-port `#42435`_ to 2017.7.1
@ *2017-07-24T15:11:13Z*
-**ISSUE**`#42427`_: (*grichmond-salt*) Issue Passing Variables created from load_json as Inline Pillar Between States
| refs: `#42435`_
-**PR**`#42435`_: (*terminalmage*) Modify our custom YAML loader to treat unicode literals as unicode strings
| refs: `#42472`_
* 95fe2558e4 Merge pull request `#42472`_ from rallytime/`bp-42435`_
* 5c47af5b98 Modify our custom YAML loader to treat unicode literals as unicode strings
-**PR**`#42473`_: (*rallytime*) Back-port `#42436`_ to 2017.7.1
@ *2017-07-24T15:10:29Z*
-**ISSUE**`#42374`_: (*tyhunt99*) [2017.7.0] salt-run mange.versions throws exception if minion is offline or unresponsive
| refs: `#42436`_
-**PR**`#42436`_: (*garethgreenaway*) Fixes to versions function in manage runner
| refs: `#42473`_
* 5b99d45f54 Merge pull request `#42473`_ from rallytime/`bp-42436`_
* 82ed919803 Updating the versions function inside the manage runner to account for when a minion is offline and we are unable to determine it's version.
-**PR**`#42471`_: (*rallytime*) Back-port `#42399`_ to 2017.7.1
@ *2017-07-24T15:09:50Z*
-**ISSUE**`#42381`_: (*zebooka*) Git.detached broken in 2017.7.0
