[Bug] Authentication downgrade

[dwoz]

What happened?

CVE-2025-62349

Authentication downgrade attack.There's a vulnerability in 3006.12+ and 3007.4+ that allows minion impersonation via a downgrade attack. It is possible to circumvent the fixes for CVE-2024-38822 by using an earlier payload format for Req server messages.

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Attribution: Barney Sowood <barney@corsac.uk>

Type of salt install

Official deb

Major version

3006.x

What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)

debian-12

salt --versions-report output

n/a

[hailfinger]

Thank you for the fix. There is one documentation issue in #68468 : It is impossible to check the authentication version supported by a given minion version just by looking at the documentation for minimum_auth_version.
A table like "authentication version x is supported by release 3004.1 and later, version y is supported by 3006.12 and later" would be extremely helpful in determining if all minions in a mixed-version fleet support any given authentication version.