Merge pull request saltstack#291 from saltstack/3004.1-releasenotes

Update release notes

CHANGELOG.md

@@ -15,9 +15,9 @@ Security
 
 - Sign authentication replies to prevent MiTM (cve-2022-22935)
 - Prevent job and fileserver replays (cve-2022-22936)
-- Fix denial of service in junos ifconfig output parsing. (cve-2022-22937)
 - Sign pillar data to prevent MiTM attacks. (cve-2202-22934)
 - Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)
+- Fix denial of service in junos ifconfig output parsing.
 
 
 Salt 3004 (2021-10-11)

doc/topics/releases/3004.1.rst

@@ -6,11 +6,28 @@ Salt 3004.1 Release Notes
 
 Version 3004.1 is a CVE security fix release for :ref:`3004 <release-3004>`.
 
+Important notice about upgrading
+--------------------------------
+
+Version 3004.1 is a security release. 3004.1 minions are not able to
+communicate with masters older than 3004.1. You must upgrade your masters
+before upgrading minions.
+
+Minion authentication security
+------------------------------
+
+Authentication between masters and minions rely on public/private key
+encryption and message signing. To secure minion authentication before you must
+pre-seed the master's public key on minions. To pre-seed the minions' master
+key, place a copy of the master's public key in the minion's pki directory as
+``minion_master.pub``.
+
+
 Security
 --------
 
 - Sign authentication replies to prevent MiTM (cve-2022-22935)
 - Prevent job and fileserver replays (cve-2022-22936)
-- Fix denial of service in junos ifconfig output parsing. (cve-2022-22937)
 - Sign pillar data to prevent MiTM attacks. (cve-2202-22934)
 - Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941) (#60413)
+- Fix denial of service in junos ifconfig output parsing.