===========================
Salt 2019.2.4 Release Notes
===========================

Version 2019.2.4 is a CVE-fix release for :ref:`2019.2.0 <release-2019-2-0>`.

Security Fix
============

**CVE-2020-11651** 

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt-master process ClearFuncs class does not properly validate
method calls. This allows a remote user to access some methods without
authentication. These methods can be used to retrieve user tokens from
the salt master and/or run arbitrary commands on salt minions.


**CVE-2020-11652** 

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2.
The salt-master process ClearFuncs class allows access to some methods
that improperly sanitize paths. These methods allow arbitrary
directory access to authenticated users.
