From 64e2791092add32ba0ed5ab0b990c0f54ac519fb Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sun, 15 Dec 2019 21:12:20 +0100 Subject: ansible_2_7: 2.7.11 -> 2.7.15 This fixes the following security issues: * Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864) * CVE-2019-14846 - Several Ansible plugins could disclose aws credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py, lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the boto3 library from the Ansible process. The boto3 library logs credentials at log level DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would set the global log level to DEBUG. This was inherited by boto and would then log boto credentials to the file specified by LOG_PATH. This did not affect aws ansible modules as those are executed in a separate process. This has been fixed by switching to log level INFO * Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated (CVE-2019-14856) * properly hide parameters marked with no_log in suboptions when invalid parameters are passed to the module (CVE-2019-14858) * resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters. * Handle improper variable substitution that was happening in safe_eval, it was always meant to just do 'type enforcement' and have Jinja2 deal with all variable interpolation. Also see CVE-2019-10156 Changelog: https://github.com/ansible/ansible/blob/0623dedf2d9c4afc09e5be30d3ef249f9d1ebece/changelogs/CHANGELOG-v2.7.rst#v2-7-15 --- pkgs/tools/admin/ansible/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pkgs/tools') diff --git a/pkgs/tools/admin/ansible/default.nix b/pkgs/tools/admin/ansible/default.nix index eaba5225150..a78345916f2 100644 --- a/pkgs/tools/admin/ansible/default.nix +++ b/pkgs/tools/admin/ansible/default.nix @@ -7,11 +7,11 @@ ansible_2_7 = with python3Packages; toPythonApplication (ansible.overridePythonAttrs(old: rec { pname = "ansible"; - version = "2.7.11"; + version = "2.7.15"; src = fetchurl { url = "https://releases.ansible.com/ansible/${pname}-${version}.tar.gz"; - sha256 = "0zipzm9al6k74h88b6zkddpcbxqs4cms7lidid6wn1vx3d3dxrp7"; + sha256 = "1kjqr35c11njyi3f2rjab6821bhqcrdykv4285q76gwv0qynigwr"; }; })); -- cgit 1.4.1