ansible/changelogs/fragments/dont-template-cli-passwords.yml

13 lines
615 B
YAML
Raw Normal View History

security_fixes:
- >
**security issue** - Convert CLI provided passwords to text initially, to
prevent unsafe context being lost when converting from bytes->text during
post processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
- >
**security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
removing the unsafe wrapper when converting between string types
(CVE-2019-14856)