Salt 3002.8 (2022-02-25)#
Version 3002.8 is a CVE security fix release for 3002.
Important notice about upgrading#
Version 3002.8 is a security release. 3002.8 minions are not able to communicate with masters older than 3002.8. You must upgrade your masters before upgrading minions.
Minion authentication security#
Authentication between masters and minions rely on public/private key
encryption and message signing. To secure minion authentication before you must
pre-seed the master's public key on minions. To pre-seed the minions' master
key, place a copy of the master's public key in the minion's pki directory as
minion_master.pub.
Security#
Sign authentication replies to prevent MiTM (cve-2020-22935)
Sign pillar data to prevent MiTM attacks. (cve-2022-22934)
Prevent job and fileserver replays (cve-2022-22936)
Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)