From d965abf6edd19b291884eb4fb92ba66a41415ffd Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <dwozniak@saltstack.com>
Date: Mon, 13 Apr 2020 07:01:39 +0000
Subject: [PATCH] Add 2019.2.4 release notes

---
 doc/topics/releases/2019.2.4.rst | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 doc/topics/releases/2019.2.4.rst

diff --git a/doc/topics/releases/2019.2.4.rst b/doc/topics/releases/2019.2.4.rst
new file mode 100644
index 000000000000..fad459ba5cc2
--- /dev/null
+++ b/doc/topics/releases/2019.2.4.rst
@@ -0,0 +1,24 @@
+===========================
+Salt 2019.2.4 Release Notes
+===========================
+
+Version 2019.2.4 is a CVE-fix release for :ref:`2019.2.0 <release-2019-2-0>`.
+
+Security Fix
+============
+
+**CVE-2020-11651** 
+
+An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
+The salt-master process ClearFuncs class does not properly validate
+method calls. This allows a remote user to access some methods without
+authentication. These methods can be used to retrieve user tokens from
+the salt master and/or run arbitrary commands on salt minions.
+
+
+**CVE-2020-11652** 
+
+An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
+The salt-master process ClearFuncs class allows access to some methods
+that improperly sanitize paths. These methods allow arbitrary
+directory access to authenticated users.