diff options
Diffstat (limited to 'changelogs/CHANGELOG-v2.7.rst')
-rw-r--r-- | changelogs/CHANGELOG-v2.7.rst | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/changelogs/CHANGELOG-v2.7.rst b/changelogs/CHANGELOG-v2.7.rst index 4b32348168..74288f9949 100644 --- a/changelogs/CHANGELOG-v2.7.rst +++ b/changelogs/CHANGELOG-v2.7.rst @@ -5,6 +5,42 @@ Ansible 2.7 "In the Light" Release Notes .. contents:: Topics +v2.7.17 +======= + +Release Summary +--------------- + +| Release Date: 2020-04-16 +| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__ + + +Minor Changes +------------- + +- ansible-test - Upgrade OpenSUSE containers to use Leap 15.1. +- ansible-test now supports testing against RHEL 7.8 when using the ``--remote`` option. + +Removed Features (previously deprecated) +---------------------------------------- + +- ldap_attr, ldap_entry - The ``params`` option has been removed in Ansible-2.10 as it circumvents Ansible's option handling. Setting ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, and 2.9 as it was insecure. For information about this policy, see the discussion at: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html This fixes CVE-2020-1746 + +Bugfixes +-------- + +- **security issue** - The ``subversion`` module provided the password via the svn command line option ``--password`` and can be retrieved from the host's /proc/<pid>/cmdline file. Update the module to use the secure ``--password-from-stdin`` option instead, and add a warning in the module and in the documentation if svn version is too old to support it. (CVE-2020-1739) + +- **security issue** win_unzip - normalize paths in archive to ensure extracted files do not escape from the target directory (CVE-2020-1737) + +- **security_issue** - create temporary vault file with strict permissions when editing and prevent race condition (CVE-2020-1740) +- Ensure DataLoader temp files are removed at appropriate times and that we observe the LOCAL_TMP setting. +- Ensure we don't allow ansible_facts subkey of ansible_facts to override top level, also fix 'deprefixing' to prevent key transforms. +- Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733 +- In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2019-3828. +- ansible-test - Use ``virtualenv`` versions before 20 on provisioned macOS instances to remain compatible with an older pip install. +- ansible-test now limits Jinja2 installs to version 2.10 and earlier on Python 2.6 + v2.7.16 ======= |