Confusing disclosure timeline: While the vulnerabilities were disclosed today, it is worth noting that fixes for all three vulnerabilities were committed and disclosed to GitHub much earlier.<p>For example, the fix for CVE-2020-16846 was pushed to GitHub as early as August 18th, and the Salt client test cases for the shell injection flaw also mention multiple Zero-Day Initiative (ZDI) IDs, such as ZDI-CAN-11143. The date of the original report on this identifier, however, is June 2020 as shown in BleepingComputer's post.