3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/development/python-modules/ansible/default.nix
Andreas Rammhold 71cde971c7 ansible_2_8: 2.8.4 -> 2.8.7
This addresses the following security issues:

  * Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)
  * CVE-2019-14846 - Several Ansible plugins could disclose aws
    credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
    lookup/aws_account_attribute.py, and lookup/aws_secret.py,
    lookup/aws_ssm.py use the boto3 library from the Ansible process. The
    boto3 library logs credentials at log level DEBUG. If Ansible's
    logging was enabled (by setting LOG_PATH to a value) Ansible would set
    the global log level to DEBUG. This was inherited by boto and would
    then log boto credentials to the file specified by LOG_PATH. This did
    not affect aws ansible modules as those are executed in a separate
    process. This has been fixed by switching to log level INFO
  * Convert CLI provided passwords to text initially, to prevent unsafe
    context being lost when converting from bytes->text during post
    processing of PlayContext. This prevents CLI provided passwords from
    being incorrectly templated (CVE-2019-14856)
  * properly hide parameters marked with no_log in suboptions when
    invalid parameters are passed to the module (CVE-2019-14858)

Changelog: 24220a618a/changelogs/CHANGELOG-v2.8.rst
2019-12-15 21:25:02 +01:00

58 lines
1.2 KiB
Nix

{ lib
, fetchFromGitHub
, buildPythonPackage
, pycrypto
, paramiko
, jinja2
, pyyaml
, httplib2
, six
, netaddr
, dnspython
, jmespath
, dopy
, ncclient
, windowsSupport ? false
, pywinrm
}:
buildPythonPackage rec {
pname = "ansible";
version = "2.8.7";
src = fetchFromGitHub {
owner = "ansible";
repo = "ansible";
rev = "v${version}";
sha256 = "08vqjk85j0g1x0iad03d7ysws433dikii8j2lr3a1mlx6d186vv8";
};
prePatch = ''
# ansible-connection is wrapped, so make sure it's not passed
# through the python interpreter.
sed -i "s/\[python, /[/" lib/ansible/executor/task_executor.py
'';
postInstall = ''
for m in docs/man/man1/*; do
install -vD $m -t $out/share/man/man1
done
'';
propagatedBuildInputs = [
pycrypto paramiko jinja2 pyyaml httplib2
six netaddr dnspython jmespath dopy ncclient
] ++ lib.optional windowsSupport pywinrm;
# dificult to test
doCheck = false;
meta = with lib; {
homepage = http://www.ansible.com;
description = "Radically simple IT automation";
license = [ licenses.gpl3 ] ;
maintainers = with maintainers; [ joamaki costrouc ];
platforms = platforms.linux ++ platforms.darwin;
};
}