New release v2.7.16v2.7.16

4 files changed, 33 insertions, 1 deletions

diff --git a/changelogs/.changes.yaml b/changelogs/.changes.yaml
index 608e9cb7f0..b6f68063e9 100644
--- a/changelogs/.changes.yaml
+++ b/changelogs/.changes.yaml
@@ -672,6 +672,16 @@ releases:
     - 63522-remove-args-from-sumologic-and-splunk-callbacks.yml
     - v2.7.15_summary.yaml
     release_date: '2019-11-13'
+  2.7.16:
+    codename: In the Light
+    fragments:
+    - ansible-test-coverage-constraint.yml
+    - ansible-test-ignore-pip-warnings.yml
+    - ansible-test-setuptools-constraint.yml
+    - nxos_file_copy_path_issue.yml
+    - solaris_zone_name_fix.yml
+    - v2.7.16_summary.yaml
+    release_date: '2020-01-15'
   2.7.2:
     codename: In the Light
     fragments:
diff --git a/changelogs/CHANGELOG-v2.7.rst b/changelogs/CHANGELOG-v2.7.rst
index 143bd971e4..4b32348168 100644
--- a/changelogs/CHANGELOG-v2.7.rst
+++ b/changelogs/CHANGELOG-v2.7.rst
@@ -5,6 +5,25 @@ Ansible 2.7 "In the Light" Release Notes
 .. contents:: Topics
 
 
+v2.7.16
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2020-01-15
+| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
+
+
+Bugfixes
+--------
+
+- **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that. However, there is no user input validation done while performing actions. A malicious user could provide a crafted zone name which allows executing commands into the server manipulating the module behaviour. Adding user input validation as per Solaris Zone documentation fixes this issue.
+- CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which is used for destination name and performs actions related to that on the device using the value of remote_file which is of string type However, there is no user input validation done while performing actions. A malicious code could crafts the filename parameter to take advantage by performing an OS command injection. This fix validates the option value if it is legitimate file path or not.
+- ansible-test no longer tries to install ``coverage`` 5.0+ since those versions are unsupported
+- ansible-test no longer tries to install ``setuptools`` 45+ on Python 2.x since those versions are unsupported
+- ansible-test now ignores warnings when comparing pip versions before and after integration tests run
+
 v2.7.15
 =======
 
diff --git a/changelogs/fragments/v2.7.16_summary.yaml b/changelogs/fragments/v2.7.16_summary.yaml
new file mode 100644
index 0000000000..0aab7b4302
--- /dev/null
+++ b/changelogs/fragments/v2.7.16_summary.yaml
@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2020-01-15
+   | `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
diff --git a/lib/ansible/release.py b/lib/ansible/release.py
index eebc151137..1fc3ae404e 100644
--- a/lib/ansible/release.py
+++ b/lib/ansible/release.py
@@ -19,6 +19,6 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
-__version__ = '2.7.15.post0'
+__version__ = '2.7.16'
 __author__ = 'Ansible, Inc.'
 __codename__ = 'In the Light'