forked from mirrors/nixpkgs
b21b92947e
This addresses the following security issues:
* CVE-2019-14846 - Several Ansible plugins could disclose aws
credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py,
lookup/aws_ssm.py use the boto3 library from the Ansible process. The
boto3 library logs credentials at log level DEBUG. If Ansible's
logging was enabled (by setting LOG_PATH to a value) Ansible would set
the global log level to DEBUG. This was inherited by boto and would
then log boto credentials to the file specified by LOG_PATH. This did
not affect aws ansible modules as those are executed in a separate
process. This has been fixed by switching to log level INFO
* Convert CLI provided passwords to text initially, to prevent unsafe
context being lost when converting from bytes->text during post
processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
* properly hide parameters marked with no_log in suboptions when
invalid parameters are passed to the module (CVE-2019-14858)
* resolves CVE-2019-10206, by avoiding templating passwords from
prompt as it is probable they have special characters.
* Handle improper variable substitution that was happening in
safe_eval, it was always meant to just do 'type enforcement' and have
Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
Changelog:
|
||
---|---|---|
.. | ||
acme.sh | ||
adtool | ||
amazon-ecr-credential-helper | ||
analog | ||
ansible | ||
aws-env | ||
aws-google-auth | ||
aws-rotate-key | ||
aws-vault | ||
aws_shell | ||
awscli | ||
awslogs | ||
awsweeper | ||
azure-cli | ||
berglas | ||
bluemix-cli | ||
boulder | ||
bubblewrap | ||
certbot | ||
certigo | ||
chkcrontab | ||
clair | ||
cli53 | ||
daemontools | ||
dehydrated | ||
docker-credential-gcr | ||
eksctl | ||
elasticsearch-curator | ||
fastlane | ||
fbvnc | ||
gixy | ||
google-cloud-sdk | ||
gtk-vnc | ||
iamy | ||
intecture | ||
lego | ||
lxd | ||
mycli | ||
nomachine-client | ||
oxidized | ||
pebble | ||
procs | ||
pulumi | ||
salt | ||
scaleway-cli | ||
sec | ||
sewer | ||
simp_le | ||
ssl-cert-check | ||
swiftclient | ||
tigervnc | ||
tightvnc | ||
virtscreen | ||
vncdo |