A flaw in minion id validation was found which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. External References: https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html
Created salt tracking bugs for this issue: Affects: epel-all [bug 1482007] Affects: fedora-all [bug 1482008]
Upstream Fix: https://github.com/saltstack/salt/pull/42944 https://github.com/saltstack/salt/pull/42944/commits/63823f8c3ed02e7809fc8e61972d289bf233a9ed