1=========================== 2Salt 2019.2.4 Release Notes 3=========================== 4 5Version 2019.2.4 is a CVE-fix release for :ref:`2019.2.0 <release-2019-2-0>`. 6 7Security Fix 8============ 9 10**CVE-2020-11651** 11 12An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. 13The salt-master process ClearFuncs class does not properly validate 14method calls. This allows a remote user to access some methods without 15authentication. These methods can be used to retrieve user tokens from 16the salt master and/or run arbitrary commands on salt minions. 17 18 19**CVE-2020-11652** 20 21An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. 22The salt-master process ClearFuncs class allows access to some methods 23that improperly sanitize paths. These methods allow arbitrary 24directory access to authenticated users. 25 26 27Known Issue 28=========== 29 30Part of the fix for CVE-2020-11651 added better validation of the methods allowed to be called by remote clients. 31Both AESFuncs and ClearFuncs now have an explicit list of methods that can be called. 32The name of one of these whitlisted methods on AESFuncs had a typo. 33The _minion_runner method should be minion_runner (without the underscore prefix). 34This typo breaks the publish module’s runner method. 35Calling runners, for example: 36 37.. code-block:: bash 38 39 salt minion publish.runner manage.down 40 41Will not work, and you will receive and empty reply from the salt master. 42 43This will be addressed in the 3001 release of Salt set for mid-June 2020. 44