diff options
author | Andreas Rammhold <andreas@rammhold.de> | 2019-12-15 21:22:30 +0100 |
---|---|---|
committer | Andreas Rammhold <andreas@rammhold.de> | 2019-12-15 21:25:07 +0100 |
commit | b21b92947e931bd40a5144c686510320fba6c88d (patch) | |
tree | a3b412d03ee80b4cb28d8c1c59139781e3040122 /pkgs/tools/admin | |
parent | 71cde971c7da86123b897d0e96a2e7bd88010df0 (diff) | |
download | nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar.gz nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar.bz2 nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar.lz nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar.xz nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.tar.zst nixpkgs-b21b92947e931bd40a5144c686510320fba6c88d.zip |
ansible_2_6: 2.6.17 -> 2.6.20
This addresses the following security issues: * CVE-2019-14846 - Several Ansible plugins could disclose aws credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py, lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the boto3 library from the Ansible process. The boto3 library logs credentials at log level DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would set the global log level to DEBUG. This was inherited by boto and would then log boto credentials to the file specified by LOG_PATH. This did not affect aws ansible modules as those are executed in a separate process. This has been fixed by switching to log level INFO * Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated (CVE-2019-14856) * properly hide parameters marked with no_log in suboptions when invalid parameters are passed to the module (CVE-2019-14858) * resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters. * Handle improper variable substitution that was happening in safe_eval, it was always meant to just do 'type enforcement' and have Jinja2 deal with all variable interpolation. Also see CVE-2019-10156 Changelog: https://github.com/ansible/ansible/blob/9bdb89f740a87bcf760424577ce18a8f68d7a741/changelogs/CHANGELOG-v2.6.rst
Diffstat (limited to 'pkgs/tools/admin')
-rw-r--r-- | pkgs/tools/admin/ansible/default.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/pkgs/tools/admin/ansible/default.nix b/pkgs/tools/admin/ansible/default.nix index a78345916f2..5b724fb0bf9 100644 --- a/pkgs/tools/admin/ansible/default.nix +++ b/pkgs/tools/admin/ansible/default.nix @@ -17,11 +17,11 @@ ansible_2_6 = with python3Packages; toPythonApplication (ansible.overridePythonAttrs(old: rec { pname = "ansible"; - version = "2.6.17"; + version = "2.6.20"; src = fetchurl { url = "https://releases.ansible.com/ansible/${pname}-${version}.tar.gz"; - sha256 = "0ixr3g1nb02xblqyk87bzag8sj8phy37m24xflabfl1k2zfh0313"; + sha256 = "02ra9q2mifyawn0719y78wrbqzik73aymlzwi90fq71jgyfvkkqn"; }; })); } |