[Bug] Authentication downgrade

[dwoz]

What happened?

CVE-2025-62349

Authentication downgrade attack.There's a vulnerability in 3006.12+ and 3007.4+ that allows minion impersonation via a downgrade attack. It is possible to circumvent the fixes for CVE-2024-38822 by using an earlier payload format for Req server messages.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Attribution: Barney Sowood <barney@corsac.uk>

Type of salt install

Official deb

Major version

3006.x

What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)

debian-12

salt --versions-report output

n/a

[hailfinger]

Thank you for the fix. There is one documentation issue in #68468 : It is impossible to check the authentication version supported by a given minion version just by looking at the documentation for minimum_auth_version.
A table like "authentication version x is supported by release 3004.1 and later, version y is supported by 3006.12 and later" would be extremely helpful in determining if all minions in a mixed-version fleet support any given authentication version.

[whytewolf]

Thank you for the fix. There is one documentation issue in #68468 : It is impossible to check the authentication version supported by a given minion version just by looking at the documentation for minimum_auth_version. A table like "authentication version x is supported by release 3004.1 and later, version y is supported by 3006.12 and later" would be extremely helpful in determining if all minions in a mixed-version fleet support any given authentication version.

that is a good thing that needs documentation. for the record after looking at the commits that introduced the version changes

here is what i found, in case someone wants to add the documentation for it.

---

version 3 introduced into 3007: v3007.4
version 3 introduced into 3006: v3006.12
version 2 introduced: v3005
everything before v3005 will count as version 0 since versioning wasn't a thing
before that and the payload didn't have versions.