diff options
-rw-r--r-- | changelogs/.changes.yaml | 21 | ||||
-rw-r--r-- | changelogs/CHANGELOG-v2.9.rst | 123 | ||||
-rw-r--r-- | changelogs/fragments/v2.9.20rc1_summary.yaml | 3 | ||||
-rw-r--r-- | lib/ansible/release.py | 2 |
4 files changed, 148 insertions, 1 deletions
diff --git a/changelogs/.changes.yaml b/changelogs/.changes.yaml index 286eab2b0d..2a9da494a5 100644 --- a/changelogs/.changes.yaml +++ b/changelogs/.changes.yaml @@ -1822,6 +1822,27 @@ releases: - win_iis_webapppool-check-mode.yaml - windows-coverage-encoding.yaml release_date: '2019-12-04' + 2.9.20rc1: + codename: Immigrant Song + fragments: + - 471-no_log.yml + - 57399-finalize-task-in-strategy.yml + - 73840_apt-policy-rc-d.yml + - 73876-ansible_test-units.yml + - 74113-module_defaults-rds_snapshot.yml + - 74125-backport_nmcli_module-slave_bridge_error.yml + - ansible-test-fix-coverage-export.yml + - community.aws-475-no_log-missing.yml + - community.docker-103-docker_swarm-no_log.yml + - community.general-2018-missing-no_log-again.yml + - community.network-223-no_log-missing.yml + - fix_find_default.yml + - more-no_log-fixes.yml + - optional_module_utils.yml + - rds-aws-mod-defaults.yml + - v2.9.20rc1_summary.yaml + - wafv2-mod-defaults.yml + release_date: '2021-04-05' 2.9.3: codename: Immigrant Song fragments: diff --git a/changelogs/CHANGELOG-v2.9.rst b/changelogs/CHANGELOG-v2.9.rst index b105e3024f..487425d046 100644 --- a/changelogs/CHANGELOG-v2.9.rst +++ b/changelogs/CHANGELOG-v2.9.rst @@ -5,6 +5,129 @@ Ansible 2.9 "Immigrant Song" Release Notes .. contents:: Topics +v2.9.20rc1 +========== + +Release Summary +--------------- + +| Release Date: 2021-04-05 +| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__ + + +Minor Changes +------------- + +- aws module_defaults - add rds_option_group, rds_option_group_info +- aws module_defaults - add wafv2_ip_set, wafv2_ip_set_info, wafv2_resources, wafv2_resources_info, wafv2_rule_group, wafv2_rule_group_info, wafv2_web_acl, wafv2_web_acl_info +- azure_rm_roledefinition - module specification is now valid. +- module payload builder - module_utils imports in any nested block (eg, ``try``, ``if``) are treated as optional during module payload builds; this allows modules to implement runtime fallback behavior for module_utils that do not exist in older versions of Ansible. +- module_defaults - add module rds_snapshot to aws module_defaults group (https://github.com/ansible/ansible/pull/74113). +- nmcli - fix the slaving of bridge interfaces (https://github.com/ansible/ansible/pull/74125). + +Breaking Changes / Porting Guide +-------------------------------- + +- docker_swarm - if ``join_token`` is specified, a returned join token with the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with ``join_token`` specified! This breaking change appears in a minor release since it is necessary to fix a security issue (https://github.com/ansible-collections/community.docker/pull/103). (CVE-2021-3447) + +Security Fixes +-------------- + +- avi_cloudconnectoruser - mark the ``azure_userpass``, ``gcp_credentials``, ``oci_credentials``, and ``tencent_credentials`` parameters as ``no_log`` to prevent leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447) +- avi_sslkeyandcertificate - mark the ``enckey_base64`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447) +- avi_webhook - mark the ``verification_token`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223). (CVE-2021-3447) +- aws_direct_connect_virtual_interface - mark the ``authentication_key`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447) +- aws_secret - flag the ``secret`` parameter as containing sensitive data which shouldn't be logged (https://github.com/ansible-collections/community.aws/pull/471) (CVE-2021-3447). +- azure_rm_devtestlabartifactsource - ``security_token`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- bigip_device_license - ``license_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- bigip_dns_nameserver - ``tsig_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- bigip_dns_zone - ``tsig_server_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- bigip_profile_client_ssl - ``key`` and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- docker_swarm - the ``join_token`` option is now marked as ``no_log`` so it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103). (CVE-2021-3447) +- fortios_dlp_fp_doc_source - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_endpoint_control_forticlient_ems - ``admin_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_endpoint_control_profile - ``preshared_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_endpoint_control_settings - ``forticlient_reg_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_extender_controller_extender - ``aaa_shared_secret``, ``ha_shared_secret``, ``modem_passwd``, and ``ppp_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_firewall_ssh_local_ca - ``password`` and ``private_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_firewall_ssh_local_key - ``password`` and ``private_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_log_disk_setting - ``uploadpass`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_router_bgp - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_router_isis - ``auth_password_l1`` and ``auth_password_l2`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_router_key_chain - ``key_string`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_router_ospf - ``authentication_key`` and `md5_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_router_rip - ``auth_string`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_switch_controller_switch_profile - ``login_passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_admin - ``fortitoken`` and ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_api_user - ``api_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_automation_action - ``aws_api_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_autoupdate_tunneling - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_csf - ``password`` and ``group_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_ddns - ``ddns_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_email_server - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_fsso_polling - ``auth_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_ha - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_interface - ``password`` and ``pptp_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_link_monitor - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_mobile_tunnel - ``n_mhae_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_ntp - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_pppoe_interface - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_probe_response - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_sdn_connector - ``access_key``, ``client_secret``, ``key_passwd``, ``password``, ``private_key``, and ``secret_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_virtual_wan_link - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_system_wccp - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_fortitoken - ``activation_code``, ``license``, ``seed``, and ``serial_number`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_fsso - ``password``, ``password1``, ``password2``, ``password3``, ``password4``, and ``password5`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_fsso_polling - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_group - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_krb_keytab - ``keytab`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_ldap - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_local - ``fortitoken``, ``passwd``, and ``ppk_secret`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_peer - ``ldap_password`` and ``passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_radius - ``secret``, ``rsso_secret``, ``secondary_secret``, and ``tertiary_secret`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_user_tacacsplus - ``key``, ``secondary_key``, and ``tertiary_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_certificate_crl - ``ldap_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_certificate_local - ``password``, ``private_key``, and ``scep_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ipsec_manualkey - ``authkey`` and ``enckey`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ipsec_manualkey_interface - ``auth_key`` and ``enc_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ipsec_phase1 - ``authpasswd``, ``group_authentication_secret``, ``ppk_secret``, ``psksecret``, and ``psksecret_remote`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ipsec_phase1_interface - ``authpasswd``, ``group_authentication_secret``, ``ppk_secret``, ``psksecret``, and ``psksecret_remote`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ssl_web_portal - ``logon_password`` and ``sso_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ssl_web_user_bookmark - ``logon_password`` and ``sso_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_vpn_ssl_web_user_group_bookmark - ``logon_password`` and ``sso_password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_wireless_controller_inter_controller - ``inter_controller_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_wireless_controller_vap - ``captive_portal_macauth_radius_secret``, ``captive_portal_radius_secret``, ``key``, and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_wireless_controller_wtp - ``login_passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- fortios_wireless_controller_wtp_profile - ``fortipresence_secret`` and ``login_passwd`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- gcp_compute_instance - ``raw_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- gcp_container_cluster - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- gcp_sql_instance - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- icx_system - ``auth_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- ios_ntp - ``auth_key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- logentries_msg - ``token`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- na_cdot_user - mark the ``set_password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/2018). (CVE-2021-3447) +- na_elementsw_cluster_snmp - ``password`` and ``passphrase`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- netscaler_lb_monitor - ``password`` and ``secondarypassword`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- nxos_aaa_server_host - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- ovirt_auth - ``token`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- pingdom - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- rollbar_deployment - ``token` no longer appears in logs (``no_log``) (CVE-2021-3447) +- stackdriver - ``key`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- sts_assume_role - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447) +- sts_session_token - mark the ``mfa_token`` parameter as ``no_log`` to avoid accidental leaking of secrets in logs (https://github.com/ansible-collections/community.aws/pull/475). (CVE-2021-3447) +- tower_credential - ``security_token`` and ``secret`` no longer appears in logs (``no_log``) (CVE-2021-3447) +- zabbix_action - ``password`` no longer appears in logs (``no_log``) (CVE-2021-3447) + +Bugfixes +-------- + +- Strategy - When building the task in the Strategy from the Worker, ensure it is properly marked as finalized and squashed. Addresses an issue with ``ansible_failed_task``. (https://github.com/ansible/ansible/issues/57399) +- ansible-test - The ``--export`` option for ``ansible-test coverage`` is now limited to the ``combine`` command. It was previously available for reporting commands on which it had no effect. +- ansible-test - The ``ansible-test coverage combine`` option ``--export`` now exports relative paths. This avoids loss of coverage data when aggregating across systems with different absolute paths. Paths will be converted back to absolute when generating reports. +- ansible-test - ensure unit test paths for connection and inventory plugins are correctly identified for collections (https://github.com/ansible/ansible/issues/73876). +- apt - fix policy_rc_d parameter throwing an exception when restoring original file (https://github.com/ansible/ansible/issues/66211) +- find - fix default pattern when use_regex is true (https://github.com/ansible/ansible/issues/50067). + v2.9.19 ======= diff --git a/changelogs/fragments/v2.9.20rc1_summary.yaml b/changelogs/fragments/v2.9.20rc1_summary.yaml new file mode 100644 index 0000000000..2a0d37c5a9 --- /dev/null +++ b/changelogs/fragments/v2.9.20rc1_summary.yaml @@ -0,0 +1,3 @@ +release_summary: | + | Release Date: 2021-04-05 + | `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__ diff --git a/lib/ansible/release.py b/lib/ansible/release.py index 250ac30199..17421aaa37 100644 --- a/lib/ansible/release.py +++ b/lib/ansible/release.py @@ -19,6 +19,6 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -__version__ = '2.9.19.post0' +__version__ = '2.9.20rc1' __author__ = 'Ansible, Inc.' __codename__ = 'Immigrant Song' |