ansible/changelogs/fragments/dont-template-cli-passwords.yml

security_fixes:
- >
  **security issue** - Convert CLI provided passwords to text initially, to
  prevent unsafe context being lost when converting from bytes->text during
  post processing of PlayContext. This prevents CLI provided passwords from
  being incorrectly templated (CVE-2019-14856)
- >
  **security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
  to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
  prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
  removing the unsafe wrapper when converting between string types
  (CVE-2019-14856)
add changelog categories, update CVE fragments to use security_fix category (#69968) * use security_fix category in changelogs for CVEs * these fragments do not say CVE but are security fixes Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com> 2020-06-11 19:24:01 +02:00			`security_fixes:`
Wrap CLI Passwords with AnsibleUnsafeText, ensure unsafe context is not lost during encode/decode (#63351) * Wrap .encode and .decode on AnsibleUnsafe objects * runme.sh needs to be executable * ci_complete * Update changelog with CVE 2019-10-11 16:17:10 +02:00			`- >`
			`security issue - Convert CLI provided passwords to text initially, to`
			`prevent unsafe context being lost when converting from bytes->text during`
			`post processing of PlayContext. This prevents CLI provided passwords from`
			`being incorrectly templated (CVE-2019-14856)`
			`- >`
			security issue - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
			to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
			prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
			`removing the unsafe wrapper when converting between string types`
			`(CVE-2019-14856)`