cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[docs] Fix up porting guides for CVE revert (#71581)

Browse source 
Change:
- Fix up wording and do proper backports for porting guide entries.

Signed-off-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit ed48a2dd62)
This commit is contained in:
Rick Elrod 2020-09-01 17:34:33 -05:00 committed by GitHub
parent d699d38dd5
commit 6aaef596d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/docsite/rst/porting_guides/porting_guide_2.8.rst
View file

@ -371,6 +371,11 @@ add ``$ErrorActionPreference = "Continue"`` to the top of the module. This chang
of the EAP that was accidentally removed in a previous release and ensure that modules are more resilient to errors of the EAP that was accidentally removed in a previous release and ensure that modules are more resilient to errors
that may occur in execution. that may occur in execution.
* Version 2.8.14 of Ansible changed the default mode of file-based tasks to ``0o600 & ~umask`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered. As a result, the ``mode`` change has been reverted in 2.8.15, and ``mode`` will now default to ``0o666 & ~umask`` as in previous versions of Ansible.
* If you changed any tasks to specify less restrictive permissions while using 2.8.14, those changes will be unnecessary (but will do no harm) in 2.8.15.
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
Modules removed Modules removed
--------------- ---------------

5
docs/docsite/rst/porting_guides/porting_guide_2.9.rst
View file

@ -74,6 +74,11 @@ Modules
* The ``win_get_url`` and ``win_uri`` module now sends requests with a default ``User-Agent`` of ``ansible-httpget``. This can be changed by using the ``http_agent`` key. * The ``win_get_url`` and ``win_uri`` module now sends requests with a default ``User-Agent`` of ``ansible-httpget``. This can be changed by using the ``http_agent`` key.
* The ``apt`` module now honors ``update_cache=false`` while installing its own dependency and skips the cache update. Explicitly setting ``update_cache=true`` or omitting the param ``update_cache`` will result in a cache update while installing its own dependency. * The ``apt`` module now honors ``update_cache=false`` while installing its own dependency and skips the cache update. Explicitly setting ``update_cache=true`` or omitting the param ``update_cache`` will result in a cache update while installing its own dependency.
* Version 2.9.12 of Ansible changed the default mode of file-based tasks to ``0o600 & ~umask`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered. As a result, the mode change has been reverted in 2.9.13, and mode will now default to ``0o666 & ~umask`` as in previous versions of Ansible.
* If you changed any tasks to specify less restrictive permissions while using 2.9.12, those changes will be unnecessary (but will do no harm) in 2.9.13.
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
Renaming from ``_facts`` to ``_info`` Renaming from ``_facts`` to ``_info``
-------------------------------------- --------------------------------------

2
docs/docsite/rst/porting_guides/porting_guide_base_2.10.rst
View file

@ -51,7 +51,7 @@ Modules
Links on this page may not point to the most recent versions of modules. We will update them when we can. Links on this page may not point to the most recent versions of modules. We will update them when we can.
* Version 2.10.0 of ansible-base changed the default mode of file-based tasks to ``0o600`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered and no longer consider a flaw in ansible-base. As a result, the ``mode`` change has been reverted in 2.10.1, and ``mode`` will now default to ``0o666`` as in previous versions of Ansible and previous RCs of ansible-base. * Version 2.10.0 of ansible-base changed the default mode of file-based tasks to ``0o600 & ~umask`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered. As a result, the mode change has been reverted in 2.10.1, and mode will now default to ``0o666 & ~umask`` as in previous versions of Ansible.
* If you changed any tasks to specify less restrictive permissions while using 2.10.0, those changes will be unnecessary (but will do no harm) in 2.10.1. * If you changed any tasks to specify less restrictive permissions while using 2.10.0, those changes will be unnecessary (but will do no harm) in 2.10.1.
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it. * To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.