From 8fd406ee8e3a14be72b3cbbfe91d03fe35952f95 Mon Sep 17 00:00:00 2001 From: Matt Davis Date: Wed, 15 Jan 2020 14:34:18 -0800 Subject: New release v2.7.16 --- changelogs/.changes.yaml | 10 ++++++++++ changelogs/CHANGELOG-v2.7.rst | 19 +++++++++++++++++++ changelogs/fragments/v2.7.16_summary.yaml | 3 +++ lib/ansible/release.py | 2 +- 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/v2.7.16_summary.yaml diff --git a/changelogs/.changes.yaml b/changelogs/.changes.yaml index 608e9cb7f0..b6f68063e9 100644 --- a/changelogs/.changes.yaml +++ b/changelogs/.changes.yaml @@ -672,6 +672,16 @@ releases: - 63522-remove-args-from-sumologic-and-splunk-callbacks.yml - v2.7.15_summary.yaml release_date: '2019-11-13' + 2.7.16: + codename: In the Light + fragments: + - ansible-test-coverage-constraint.yml + - ansible-test-ignore-pip-warnings.yml + - ansible-test-setuptools-constraint.yml + - nxos_file_copy_path_issue.yml + - solaris_zone_name_fix.yml + - v2.7.16_summary.yaml + release_date: '2020-01-15' 2.7.2: codename: In the Light fragments: diff --git a/changelogs/CHANGELOG-v2.7.rst b/changelogs/CHANGELOG-v2.7.rst index 143bd971e4..4b32348168 100644 --- a/changelogs/CHANGELOG-v2.7.rst +++ b/changelogs/CHANGELOG-v2.7.rst @@ -5,6 +5,25 @@ Ansible 2.7 "In the Light" Release Notes .. contents:: Topics +v2.7.16 +======= + +Release Summary +--------------- + +| Release Date: 2020-01-15 +| `Porting Guide `__ + + +Bugfixes +-------- + +- **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that. However, there is no user input validation done while performing actions. A malicious user could provide a crafted zone name which allows executing commands into the server manipulating the module behaviour. Adding user input validation as per Solaris Zone documentation fixes this issue. +- CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which is used for destination name and performs actions related to that on the device using the value of remote_file which is of string type However, there is no user input validation done while performing actions. A malicious code could crafts the filename parameter to take advantage by performing an OS command injection. This fix validates the option value if it is legitimate file path or not. +- ansible-test no longer tries to install ``coverage`` 5.0+ since those versions are unsupported +- ansible-test no longer tries to install ``setuptools`` 45+ on Python 2.x since those versions are unsupported +- ansible-test now ignores warnings when comparing pip versions before and after integration tests run + v2.7.15 ======= diff --git a/changelogs/fragments/v2.7.16_summary.yaml b/changelogs/fragments/v2.7.16_summary.yaml new file mode 100644 index 0000000000..0aab7b4302 --- /dev/null +++ b/changelogs/fragments/v2.7.16_summary.yaml @@ -0,0 +1,3 @@ +release_summary: | + | Release Date: 2020-01-15 + | `Porting Guide `__ diff --git a/lib/ansible/release.py b/lib/ansible/release.py index eebc151137..1fc3ae404e 100644 --- a/lib/ansible/release.py +++ b/lib/ansible/release.py @@ -19,6 +19,6 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -__version__ = '2.7.15.post0' +__version__ = '2.7.16' __author__ = 'Ansible, Inc.' __codename__ = 'In the Light' -- cgit v1.2.1