From 23812ab87d72e0170b3035fd33244987219c86a4 Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Mon, 31 Oct 2016 21:41:58 -0500 Subject: [PATCH] Updating CHANGELOG for CVEs fixed in 2.2.0 --- CHANGELOG.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 911007a828..05b343d91a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,12 @@ Ansible Changes By Release ========================== -## 2.2 "The Battle of Evermore" - ACTIVE DEVELOPMENT +## 2.2 "The Battle of Evermore" - 11-01-2016 ###Major Changes: +* Security fix for CVE-2016-8628 - Command injection by compromised server via fact variables. In some situations, facts returned by modules could overwrite connection-based facts or some other special variables, leading to injected commands running on the Ansible controller as the user running Ansible (or via escalated permissions). +* Security fix for CVE-2016-8614 - apt_key module not properly validating keys in some situations. * Added the `listen` feature for modules. This feature allows tasks to more easily notify multiple handlers, as well as making it easier for handlers from decoupled roles to be notified. * Major performance improvements. * Added support for binary modules @@ -289,9 +291,6 @@ Ansible Changes By Release * Fix for yum module incorrectly thinking it succeeded in installing packages * Make the default ansible_managed template string into a static string since all of the replacable values lead to non-idempotent behaviour. -* apt_key fixes for when the user specifies a longer key id. These allow more - specific targetting of keys to download while still working around - limitations in the apt-key tool that require shorter key id strings. ###For custom front ends using the API: * ansible.parsing.vault: