Add 2019.2.4 release notes

128technology · Apr 14, 2020 · d965abf · d965abf
1 parent 4631781
commit d965abf
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/doc/topics/releases/2019.2.4.rst b/doc/topics/releases/2019.2.4.rst
@@ -0,0 +1,24 @@
+===========================
+Salt 2019.2.4 Release Notes
+===========================
+
+Version 2019.2.4 is a CVE-fix release for :ref:`2019.2.0 <release-2019-2-0>`.
+
+Security Fix
+============
+
+**CVE-2020-11651** 
+
+An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
+The salt-master process ClearFuncs class does not properly validate
+method calls. This allows a remote user to access some methods without
+authentication. These methods can be used to retrieve user tokens from
+the salt master and/or run arbitrary commands on salt minions.
+
+
+**CVE-2020-11652** 
+
+An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
+The salt-master process ClearFuncs class allows access to some methods
+that improperly sanitize paths. These methods allow arbitrary
+directory access to authenticated users.