From 410c624f7a0654ab8f9cad581ddd77097a83f3fb Mon Sep 17 00:00:00 2001
From: Ch3LL <megan.wilhite@gmail.com>
Date: Wed, 27 Sep 2017 12:25:30 -0400
Subject: [PATCH 1/5] [2017.7] Bump latest and previous versions

---
 doc/conf.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/conf.py b/doc/conf.py
index de8db8ea90..4facdc0176 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -245,8 +245,8 @@ on_saltstack = 'SALT_ON_SALTSTACK' in os.environ
 project = 'Salt'
 
 version = salt.version.__version__
-latest_release = '2017.7.1'  # latest release
-previous_release = '2016.11.7'  # latest release from previous branch
+latest_release = '2017.7.2'  # latest release
+previous_release = '2016.11.8'  # latest release from previous branch
 previous_release_dir = '2016.11'  # path on web server for previous branch
 next_release = ''  # next release
 next_release_dir = ''  # path on web server for next release branch

From 4a77560646b50d48270d59e7078d301e6eee5f84 Mon Sep 17 00:00:00 2001
From: Joseph Hall <perlhoser@gmail.com>
Date: Thu, 5 Oct 2017 09:51:38 -0600
Subject: [PATCH 2/5] Don't try to modify dict while looping through it

---
 salt/cloud/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/cloud/__init__.py b/salt/cloud/__init__.py
index 73327724ef..c70d9aff2e 100644
--- a/salt/cloud/__init__.py
+++ b/salt/cloud/__init__.py
@@ -234,7 +234,7 @@ class CloudClient(object):
                          if a.get('provider', '')]
             if providers:
                 _providers = opts.get('providers', {})
-                for provider in list(_providers):
+                for provider in list(_providers).copy():
                     if provider not in providers:
                         _providers.pop(provider)
         return opts

From 254dac7723d7a2d63d34f7f3b774626ec39a007c Mon Sep 17 00:00:00 2001
From: twangboy <slee@saltstack.com>
Date: Thu, 5 Oct 2017 16:47:32 -0600
Subject: [PATCH 3/5] Fix `unit.utils.test_utils` for Windows

Use os agnostic path seps
Mock sys.platform to not return win
---
 tests/unit/utils/test_utils.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/unit/utils/test_utils.py b/tests/unit/utils/test_utils.py
index 6e5958e112..245af7f45f 100644
--- a/tests/unit/utils/test_utils.py
+++ b/tests/unit/utils/test_utils.py
@@ -99,7 +99,7 @@ class UtilsTestCase(TestCase):
     def test_path_join(self):
         with patch('salt.utils.is_windows', return_value=False) as is_windows_mock:
             self.assertFalse(is_windows_mock.return_value)
-            expected_path = '/a/b/c/d'
+            expected_path = os.path.join(os.sep + 'a', 'b', 'c', 'd')
             ret = utils.path_join('/a/b/c', 'd')
             self.assertEqual(ret, expected_path)
 
@@ -985,7 +985,8 @@ class UtilsTestCase(TestCase):
             ret = utils.daemonize_if({})
             self.assertEqual(None, ret)
 
-        with patch('salt.utils.daemonize'):
+        with patch('salt.utils.daemonize'), \
+                patch('sys.platform', 'not windows'):
             utils.daemonize_if({})
             self.assertTrue(utils.daemonize.called)
         # pylint: enable=assignment-from-none

From 9a4f6a260f7bc5a47d17538bf76161a40cee605d Mon Sep 17 00:00:00 2001
From: Erik Johnson <palehose@gmail.com>
Date: Fri, 6 Oct 2017 13:38:24 -0500
Subject: [PATCH 4/5] Fix fileclient's get_url when redirecting to a redirect

When a 30x leads to a 200 OK, we properly reset write_body[0] so that we
save the body of the response. However, when both A) a 30x redirects to
another 30x and B) we've already determined the encoding from the
Content-Type (and thus set write_body[2]), then we don't properly set
write_body[0], resulting in a zero-length file. This commit fixes this
by also resetting the write_body[2] when following redirects, so that we
make sure we are getting the encoding for the request to the URL that
resulted in the 200 instead of the one that resulted in the 30x.
---
 salt/fileclient.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/salt/fileclient.py b/salt/fileclient.py
index fc396fcc56..26d831fdd0 100644
--- a/salt/fileclient.py
+++ b/salt/fileclient.py
@@ -623,10 +623,11 @@ class Client(object):
                 if write_body[1] is not False and write_body[2] is None:
                     if not hdr.strip() and 'Content-Type' not in write_body[1]:
                         # We've reached the end of the headers and not yet
-                        # found the Content-Type. Reset the values we're
-                        # tracking so that we properly follow the redirect.
-                        write_body[0] = None
-                        write_body[1] = False
+                        # found the Content-Type. Reset write_body[0] so that
+                        # we properly follow the redirect. Note that slicing is
+                        # used below to ensure that we re-use the same list
+                        # rather than creating a new one.
+                        write_body[0:2] = (None, False)
                         return
                     # Try to find out what content type encoding is used if
                     # this is a text file
@@ -648,9 +649,12 @@ class Client(object):
                         # If write_body[0] is False, this means that this
                         # header is a 30x redirect, so we need to reset
                         # write_body[0] to None so that we parse the HTTP
-                        # status code from the redirect target.
+                        # status code from the redirect target. Additionally,
+                        # we need to reset write_body[2] so that we inspect the
+                        # headers for the Content-Type of the URL we're
+                        # following.
                         if write_body[0] is write_body[1] is False:
-                            write_body[0] = None
+                            write_body[0] = write_body[2] = None
 
                 # Check the status line of the HTTP request
                 if write_body[0] is None:

From 57fd6f7bcb4f20583caaf21a372339f35b50f681 Mon Sep 17 00:00:00 2001
From: Ch3LL <megan.wilhite@gmail.com>
Date: Wed, 27 Sep 2017 14:56:04 -0400
Subject: [PATCH 5/5] Add Security Notes to 2017.7.2 Release Notes

---
 doc/topics/releases/2017.7.2.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/topics/releases/2017.7.2.rst b/doc/topics/releases/2017.7.2.rst
index 1f823d7417..c9123529cb 100644
--- a/doc/topics/releases/2017.7.2.rst
+++ b/doc/topics/releases/2017.7.2.rst
@@ -7,6 +7,13 @@ Version 2017.7.2 is a bugfix release for :ref:`2017.7.0 <release-2017-7-0>`.
 Changes for v2017.7.1..v2017.7.2
 --------------------------------
 
+Security Fix
+============
+
+CVE-2017-14695 Directory traversal vulnerability in minion id validation in SaltStack. Allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)
+
+CVE-2017-14696 Remote Denial of Service with a specially crafted authentication request. Credit for discovering the security flaw goes to: Julian Brost (julian@0x4a42.net)
+
 Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):
 
 *Generated at: 2017-09-26T21:06:19Z*