b21b92947e
This addresses the following security issues:
* CVE-2019-14846 - Several Ansible plugins could disclose aws
credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py,
lookup/aws_ssm.py use the boto3 library from the Ansible process. The
boto3 library logs credentials at log level DEBUG. If Ansible's
logging was enabled (by setting LOG_PATH to a value) Ansible would set
the global log level to DEBUG. This was inherited by boto and would
then log boto credentials to the file specified by LOG_PATH. This did
not affect aws ansible modules as those are executed in a separate
process. This has been fixed by switching to log level INFO
* Convert CLI provided passwords to text initially, to prevent unsafe
context being lost when converting from bytes->text during post
processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
* properly hide parameters marked with no_log in suboptions when
invalid parameters are passed to the module (CVE-2019-14858)
* resolves CVE-2019-10206, by avoiding templating passwords from
prompt as it is probable they have special characters.
* Handle improper variable substitution that was happening in
safe_eval, it was always meant to just do 'type enforcement' and have
Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
Changelog: 9bdb89f740/changelogs/CHANGELOG-v2.6.rst
27 lines
831 B
Nix
27 lines
831 B
Nix
{ python3Packages, fetchurl }:
|
|
|
|
{
|
|
ansible = with python3Packages; toPythonApplication ansible;
|
|
|
|
ansible_2_8 = with python3Packages; toPythonApplication ansible;
|
|
|
|
ansible_2_7 = with python3Packages; toPythonApplication (ansible.overridePythonAttrs(old: rec {
|
|
pname = "ansible";
|
|
version = "2.7.15";
|
|
|
|
src = fetchurl {
|
|
url = "https://releases.ansible.com/ansible/${pname}-${version}.tar.gz";
|
|
sha256 = "1kjqr35c11njyi3f2rjab6821bhqcrdykv4285q76gwv0qynigwr";
|
|
};
|
|
}));
|
|
|
|
ansible_2_6 = with python3Packages; toPythonApplication (ansible.overridePythonAttrs(old: rec {
|
|
pname = "ansible";
|
|
version = "2.6.20";
|
|
|
|
src = fetchurl {
|
|
url = "https://releases.ansible.com/ansible/${pname}-${version}.tar.gz";
|
|
sha256 = "02ra9q2mifyawn0719y78wrbqzik73aymlzwi90fq71jgyfvkkqn";
|
|
};
|
|
}));
|
|
}
|