The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure.
Article Link: https://www.zdnet.com/article/saltstack-revises-partial-patch-for-command-injection-privilege-escalation-vulnerability/#ftag=RSSbaffb68