diff options
| author | Andreas Rammhold <andreas@rammhold.de> | 2019-12-15 21:12:20 +0100 |
|---|---|---|
| committer | Andreas Rammhold <andreas@rammhold.de> | 2019-12-15 21:24:59 +0100 |
| commit | 64e2791092add32ba0ed5ab0b990c0f54ac519fb (patch) | |
| tree | ea6ce99353f1da21c147d63c73fef8f191eb413b /pkgs/tools | |
| parent | eb2d272efd6320adae584bbefb54637ab746160a (diff) | |
| download | nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar.gz nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar.bz2 nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar.lz nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar.xz nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.tar.zst nixpkgs-64e2791092add32ba0ed5ab0b990c0f54ac519fb.zip | |
ansible_2_7: 2.7.11 -> 2.7.15
This fixes the following security issues:
* Ansible: Splunk and Sumologic callback plugins leak sensitive data
in logs (CVE-2019-14864)
* CVE-2019-14846 - Several Ansible plugins could disclose aws
credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py,
lookup/aws_ssm.py use the boto3 library from the Ansible process. The
boto3 library logs credentials at log level DEBUG. If Ansible's
logging was enabled (by setting LOG_PATH to a value) Ansible would set
the global log level to DEBUG. This was inherited by boto and would
then log boto credentials to the file specified by LOG_PATH. This did
not affect aws ansible modules as those are executed in a separate
process. This has been fixed by switching to log level INFO
* Convert CLI provided passwords to text initially, to prevent unsafe
context being lost when converting from bytes->text during post
processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
* properly hide parameters marked with no_log in suboptions when invalid
parameters are passed to the module (CVE-2019-14858)
* resolves CVE-2019-10206, by avoiding templating passwords from
prompt as it is probable they have special characters.
* Handle improper variable substitution that was happening in
safe_eval, it was always meant to just do 'type enforcement' and have
Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
Changelog: https://github.com/ansible/ansible/blob/0623dedf2d9c4afc09e5be30d3ef249f9d1ebece/changelogs/CHANGELOG-v2.7.rst#v2-7-15
Diffstat (limited to 'pkgs/tools')
| -rw-r--r-- | pkgs/tools/admin/ansible/default.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/pkgs/tools/admin/ansible/default.nix b/pkgs/tools/admin/ansible/default.nix index eaba5225150..a78345916f2 100644 --- a/pkgs/tools/admin/ansible/default.nix +++ b/pkgs/tools/admin/ansible/default.nix @@ -7,11 +7,11 @@ ansible_2_7 = with python3Packages; toPythonApplication (ansible.overridePythonAttrs(old: rec { pname = "ansible"; - version = "2.7.11"; + version = "2.7.15"; src = fetchurl { url = "https://releases.ansible.com/ansible/${pname}-${version}.tar.gz"; - sha256 = "0zipzm9al6k74h88b6zkddpcbxqs4cms7lidid6wn1vx3d3dxrp7"; + sha256 = "1kjqr35c11njyi3f2rjab6821bhqcrdykv4285q76gwv0qynigwr"; }; })); |