diff options
| author | Matt Davis <mrd@redhat.com> | 2019-10-17 09:28:29 -0700 |
|---|---|---|
| committer | Matt Davis <mrd@redhat.com> | 2019-10-17 09:28:29 -0700 |
| commit | 9bdb89f740a87bcf760424577ce18a8f68d7a741 (patch) | |
| tree | 58ff7f1b6d4326a8a05ccaa744655a9fcad5a4e6 | |
| parent | 87f8d77d70476454f7fe2381bd363a329ce4266c (diff) | |
| download | ansible-9bdb89f740a87bcf760424577ce18a8f68d7a741.tar.gz | |
New release v2.6.20v2.6.20
| -rw-r--r-- | changelogs/.changes.yaml | 8 | ||||
| -rw-r--r-- | changelogs/CHANGELOG-v2.6.rst | 18 | ||||
| -rw-r--r-- | changelogs/fragments/v2.6.20_summary.yaml | 3 | ||||
| -rw-r--r-- | lib/ansible/release.py | 2 |
4 files changed, 30 insertions, 1 deletions
diff --git a/changelogs/.changes.yaml b/changelogs/.changes.yaml index 7cba7302b2..2afc2f98d3 100644 --- a/changelogs/.changes.yaml +++ b/changelogs/.changes.yaml @@ -501,6 +501,14 @@ releases: - win_unzip_share-discard-cmdlet-output.yaml - win_user-validate-fixes.yaml release_date: '2018-07-27' + 2.6.20: + codename: Heartbreaker + fragments: + - boto-logging-credentials.yml + - dont-template-cli-passwords.yml + - no-log-sub-options-invalid-parameter.yaml + - v2.6.20_summary.yaml + release_date: '2019-10-17' 2.6.3: codename: Heartbreaker fragments: diff --git a/changelogs/CHANGELOG-v2.6.rst b/changelogs/CHANGELOG-v2.6.rst index 6a4e1d5c05..76d26612cc 100644 --- a/changelogs/CHANGELOG-v2.6.rst +++ b/changelogs/CHANGELOG-v2.6.rst @@ -2,6 +2,24 @@ Ansible 2.6 "Heartbreaker" Release Notes ======================================== +v2.6.20 +======= + +Release Summary +--------------- + +| Release Date: 2019-10-17 +| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__ + + +Bugfixes +-------- + +- **SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py, lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the boto3 library from the Ansible process. The boto3 library logs credentials at log level DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would set the global log level to DEBUG. This was inherited by boto and would then log boto credentials to the file specified by LOG_PATH. This did not affect aws ansible modules as those are executed in a separate process. This has been fixed by switching to log level INFO +- **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated (CVE-2019-14856) + +- **security issue** - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module (CVE-2019-14858) + v2.6.19 ======= diff --git a/changelogs/fragments/v2.6.20_summary.yaml b/changelogs/fragments/v2.6.20_summary.yaml new file mode 100644 index 0000000000..b136c13811 --- /dev/null +++ b/changelogs/fragments/v2.6.20_summary.yaml @@ -0,0 +1,3 @@ +release_summary: | + | Release Date: 2019-10-17 + | `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__ diff --git a/lib/ansible/release.py b/lib/ansible/release.py index 7736c38edc..dca886d00d 100644 --- a/lib/ansible/release.py +++ b/lib/ansible/release.py @@ -19,6 +19,6 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -__version__ = '2.6.19.post0' +__version__ = '2.6.20' __author__ = 'Ansible, Inc.' __codename__ = 'Heartbreaker' |