Salt minions (clients), come with a descriptive id and a crypto key each. Attaching a minion to a master (server) boils down to "accepting its key" with a command on the master. Now it can happen that after one minion is fully accepted, a second one presents itself to the master with the same id but different key. In that case, Salt will figure out that the key is different and reject the second minion, assuming it is an impostor. Due to Salt's caching mechanisms, I found out that under certain circumstances Salt commands can reach, read data from and write data to, both minions ("original" and "impostor"). That includes pillar data, which is supposed to be secret to a certain minion. References: http://seclists.org/oss-sec/2016/q4/526
Fedora 25, package salt, is not vulnerable because it currently has salt-2016.3.3-3.fc25 in stable
Created salt tracking bugs for this issue: Affects: epel-all [bug 1399223]