Skip to content

Commit

Permalink
New release v2.8.11
Browse files Browse the repository at this point in the history
  • Loading branch information
mattclay committed Apr 16, 2020
1 parent 6f75aa2 commit b9ebc0c
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 1 deletion.
17 changes: 17 additions & 0 deletions changelogs/.changes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1633,6 +1633,23 @@ releases:
- openstack-regression.yml
- v2.8.10_summary.yaml
release_date: '2020-03-05'
2.8.11:
codename: How Many More Times
fragments:
- 63280-fix_acl_spaces_in_path.yml
- 64906-always-delegate-fact-prefixes.yml
- af_clean.yml
- ansible-test-opensuse-15.1.yml
- ansible-test-rhel-7.8.yml
- fetch_no_slurp.yml
- ldap-params-removal.yml
- remote_mkdir_fix.yml
- subversion_password.yaml
- v2.8.11_summary.yaml
- vault_tmp_file.yml
- vault_tmp_race_fix.yml
- win-unzip-check-extraction-path.yml
release_date: '2020-04-16'
2.8.2:
codename: How Many More Times
fragments:
Expand Down
36 changes: 36 additions & 0 deletions changelogs/CHANGELOG-v2.8.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,42 @@ Ansible 2.8 "How Many More Times" Release Notes
.. contents:: Topics


v2.8.11
=======

Release Summary
---------------

| Release Date: 2020-04-16
| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__

Minor Changes
-------------

- ansible-test - Upgrade OpenSUSE containers to use Leap 15.1.
- ansible-test now supports testing against RHEL 7.8 when using the ``--remote`` option.

Removed Features (previously deprecated)
----------------------------------------

- ldap_attr, ldap_entry - The ``params`` option has been removed in Ansible-2.10 as it circumvents Ansible's option handling. Setting ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, and 2.9 as it was insecure. For information about this policy, see the discussion at: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html This fixes CVE-2020-1746

Bugfixes
--------

- **security issue** - The ``subversion`` module provided the password via the svn command line option ``--password`` and can be retrieved from the host's /proc/<pid>/cmdline file. Update the module to use the secure ``--password-from-stdin`` option instead, and add a warning in the module and in the documentation if svn version is too old to support it. (CVE-2020-1739)

- **security issue** win_unzip - normalize paths in archive to ensure extracted files do not escape from the target directory (CVE-2020-1737)

- **security_issue** - create temporary vault file with strict permissions when editing and prevent race condition (CVE-2020-1740)
- Ensure DataLoader temp files are removed at appropriate times and that we observe the LOCAL_TMP setting.
- Ensure we don't allow ansible_facts subkey of ansible_facts to override top level, also fix 'deprefixing' to prevent key transforms.
- Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
- Fact Delegation - Add ability to indicate which facts must always be delegated. Primarily for ``discovered_interpreter_python`` right now, but extensible later. (https://github.com/ansible/ansible/issues/61002)
- In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2019-3828.
- acl - fixed module failure if there are spaces in a path

v2.8.10
=======

Expand Down
3 changes: 3 additions & 0 deletions changelogs/fragments/v2.8.11_summary.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
release_summary: |
| Release Date: 2020-04-16
| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
2 changes: 1 addition & 1 deletion lib/ansible/release.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

__version__ = '2.8.10.post0'
__version__ = '2.8.11'
__author__ = 'Ansible, Inc.'
__codename__ = 'How Many More Times'

0 comments on commit b9ebc0c

Please sign in to comment.