New release v2.6.20

2019-10-17 09:28:29 -07:00 · 2019-10-17 09:28:29 -07:00 · 9bdb89f740
commit 9bdb89f740
parent 87f8d77d70
4 changed files with 30 additions and 1 deletions
--- a/changelogs/.changes.yaml
+++ b/changelogs/.changes.yaml
@ -501,6 +501,14 @@ releases:
    - win_unzip_share-discard-cmdlet-output.yaml
    - win_user-validate-fixes.yaml
    release_date: '2018-07-27'
+  2.6.20:
+    codename: Heartbreaker
+    fragments:
+    - boto-logging-credentials.yml
+    - dont-template-cli-passwords.yml
+    - no-log-sub-options-invalid-parameter.yaml
+    - v2.6.20_summary.yaml
+    release_date: '2019-10-17'
  2.6.3:
    codename: Heartbreaker
    fragments:
--- a/changelogs/CHANGELOG-v2.6.rst
+++ b/changelogs/CHANGELOG-v2.6.rst
@ -2,6 +2,24 @@
 Ansible 2.6 "Heartbreaker" Release Notes
 ========================================

+v2.6.20
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2019-10-17
+| `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
+
+
+Bugfixes
+--------
+
+- **SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials in log files.  inventory/aws_ec2.py, inventory/aws_rds.py, lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the boto3 library from the Ansible process. The boto3 library logs credentials at log level DEBUG.  If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would set the global log level to DEBUG.  This was inherited by boto and would then log boto credentials to the file specified by LOG_PATH.  This did not affect aws ansible modules as those are executed in a separate process.  This has been fixed by switching to log level INFO
+- **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated (CVE-2019-14856)
+
+- **security issue** - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module (CVE-2019-14858)
+
 v2.6.19
 =======

--- a/changelogs/fragments/v2.6.20_summary.yaml
+++ b/changelogs/fragments/v2.6.20_summary.yaml
@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2019-10-17
+   | `Porting Guide <https://docs.ansible.com/ansible/devel/porting_guides.html>`__
--- a/lib/ansible/release.py
+++ b/lib/ansible/release.py
@ -19,6 +19,6 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type

-__version__ = '2.6.19.post0'
+__version__ = '2.6.20'
 __author__ = 'Ansible, Inc.'
 __codename__ = 'Heartbreaker'