New release v2.7.17v2.7.17

4 files changed, 57 insertions, 1 deletions

diff --git a/changelogs/.changes.yaml b/changelogs/.changes.yaml
index b6f68063e9..5f45fb18de 100644
--- a/changelogs/.changes.yaml
+++ b/changelogs/.changes.yaml
@@ -682,6 +682,23 @@ releases:
     - solaris_zone_name_fix.yml
     - v2.7.16_summary.yaml
     release_date: '2020-01-15'
+  2.7.17:
+    codename: In the Light
+    fragments:
+    - af_clean.yml
+    - ansible-test-constraints-virtualenv.yml
+    - ansible-test-jinja2-python-2.6.yml
+    - ansible-test-opensuse-15.1.yml
+    - ansible-test-rhel-7.8.yml
+    - fetch_no_slurp.yml
+    - ldap-params-removal.yml
+    - remote_mkdir_fix.yml
+    - subversion_password.yaml
+    - v2.7.17_summary.yaml
+    - vault_tmp_file.yml
+    - vault_tmp_race_fix.yml
+    - win-unzip-check-extraction-path.yml
+    release_date: '2020-04-16'
   2.7.2:
     codename: In the Light
     fragments:
diff --git a/changelogs/CHANGELOG-v2.7.rst b/changelogs/CHANGELOG-v2.7.rst
index 4b32348168..74288f9949 100644
--- a/changelogs/CHANGELOG-v2.7.rst
+++ b/changelogs/CHANGELOG-v2.7.rst
@@ -5,6 +5,42 @@ Ansible 2.7 "In the Light" Release Notes
 .. contents:: Topics
 
 
+v2.7.17
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2020-04-16
+| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
+
+
+Minor Changes
+-------------
+
+- ansible-test - Upgrade OpenSUSE containers to use Leap 15.1.
+- ansible-test now supports testing against RHEL 7.8 when using the ``--remote`` option.
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- ldap_attr, ldap_entry - The ``params`` option has been removed in Ansible-2.10 as it circumvents Ansible's option handling.  Setting ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, and 2.9 as it was insecure.  For information about this policy, see the discussion at: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html This fixes CVE-2020-1746
+
+Bugfixes
+--------
+
+- **security issue** - The ``subversion`` module provided the password via the svn command line option ``--password`` and can be retrieved from the host's /proc/<pid>/cmdline file. Update the module to use the secure ``--password-from-stdin`` option instead, and add a warning in the module and in the documentation if svn version is too old to support it. (CVE-2020-1739)
+
+- **security issue** win_unzip - normalize paths in archive to ensure extracted files do not escape from the target directory (CVE-2020-1737)
+
+- **security_issue** - create temporary vault file with strict permissions when editing and prevent race condition (CVE-2020-1740)
+- Ensure DataLoader temp files are removed at appropriate times and that we observe the LOCAL_TMP setting.
+- Ensure we don't allow ansible_facts subkey of ansible_facts to override top level, also fix 'deprefixing' to prevent key transforms.
+- Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
+- In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2019-3828.
+- ansible-test - Use ``virtualenv`` versions before 20 on provisioned macOS instances to remain compatible with an older pip install.
+- ansible-test now limits Jinja2 installs to version 2.10 and earlier on Python 2.6
+
 v2.7.16
 =======
 
diff --git a/changelogs/fragments/v2.7.17_summary.yaml b/changelogs/fragments/v2.7.17_summary.yaml
new file mode 100644
index 0000000000..e239de64d0
--- /dev/null
+++ b/changelogs/fragments/v2.7.17_summary.yaml
@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2020-04-16
+   | `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
diff --git a/lib/ansible/release.py b/lib/ansible/release.py
index dcfcc1c659..1bf4f61f66 100644
--- a/lib/ansible/release.py
+++ b/lib/ansible/release.py
@@ -19,6 +19,6 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
-__version__ = '2.7.16.post0'
+__version__ = '2.7.17'
 __author__ = 'Ansible, Inc.'
 __codename__ = 'In the Light'