diff options
author | Rick Elrod <rick@elrod.me> | 2020-08-31 15:42:11 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-31 15:42:11 -0500 |
commit | 69827e089415a9d3f9e6b538f8ad64fbb2e079ce (patch) | |
tree | f96a582060fe6073b6280af01b6b26f5a850233c | |
parent | a0ddefde38b4597e3b80eed23e3c76831d3f10ed (diff) | |
download | ansible-69827e089415a9d3f9e6b538f8ad64fbb2e079ce.tar.gz |
Re-add changelogs and add docs for CVE-2020-1736 reverts [2.8] (#71516)
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
Co-authored-by: Sam Doran <sdoran@redhat.com>
4 files changed, 16 insertions, 0 deletions
diff --git a/changelogs/fragments/67794-atomic_move-default-perms.yml b/changelogs/fragments/67794-atomic_move-default-perms.yml new file mode 100644 index 0000000000..cef82ee203 --- /dev/null +++ b/changelogs/fragments/67794-atomic_move-default-perms.yml @@ -0,0 +1,4 @@ +security_fixes: + - > + **security issue** atomic_move - change default permissions when creating + temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736) diff --git a/changelogs/fragments/67794-default-permissions-warning-fix.yml b/changelogs/fragments/67794-default-permissions-warning-fix.yml new file mode 100644 index 0000000000..b6824b877d --- /dev/null +++ b/changelogs/fragments/67794-default-permissions-warning-fix.yml @@ -0,0 +1,4 @@ +security_fixes: + - > + Fix warning for default permission change when no mode is specified. Follow up + to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736) diff --git a/changelogs/fragments/cve-2020-1736-revert.yml b/changelogs/fragments/cve-2020-1736-revert.yml new file mode 100644 index 0000000000..f31574067c --- /dev/null +++ b/changelogs/fragments/cve-2020-1736-revert.yml @@ -0,0 +1,2 @@ +security_fixes: + - The fix for CVE-2020-1736 has been reverted. Users are encouraged to specify a ``mode`` parameter in their file-based tasks when the files being manipulated contain sensitive data. diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.8.rst b/docs/docsite/rst/porting_guides/porting_guide_2.8.rst index f64650268d..a6b9b4aff4 100644 --- a/docs/docsite/rst/porting_guides/porting_guide_2.8.rst +++ b/docs/docsite/rst/porting_guides/porting_guide_2.8.rst @@ -373,6 +373,12 @@ add ``$ErrorActionPreference = "Continue"`` to the top of the module. This chang of the EAP that was accidentally removed in a previous release and ensure that modules are more resilient to errors that may occur in execution. +* Version 2.8.14 of Ansible changed the default mode of file-based tasks to ``0o600 & ~umask`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered. As a result, the ``mode`` change has been reverted in 2.8.15, and ``mode`` will now default to ``0o666 & ~umask`` as in previous versions of Ansible. +* If you changed any tasks to specify less restrictive permissions while using 2.8.14, those changes will be unnecessary (but will do no harm) in 2.8.15. +* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it. + + + Modules removed --------------- |