[docs] add porting guide for DNF GPG validation (#71640)
* [docs] add porting guide for DNF GPG validation Change: - This was a breaking change (security fix), but I neglected to add a porting guide entry for it previously. Tickets: - Refs #71537 - Refs #71539 - Refs #71540 - Refs #71541 Signed-off-by: Rick Elrod <rick@elrod.me> * changes from sivel Signed-off-by: Rick Elrod <rick@elrod.me>
This commit is contained in:
parent
760334303b
commit
7a38c470ba
3 changed files with 6 additions and 0 deletions
|
@ -375,6 +375,8 @@ that may occur in execution.
|
||||||
* If you changed any tasks to specify less restrictive permissions while using 2.8.14, those changes will be unnecessary (but will do no harm) in 2.8.15.
|
* If you changed any tasks to specify less restrictive permissions while using 2.8.14, those changes will be unnecessary (but will do no harm) in 2.8.15.
|
||||||
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
||||||
|
|
||||||
|
* ``dnf`` and ``yum`` - As of version 2.8.15, the ``dnf`` module (and ``yum`` action when it uses ``dnf``) now correctly validates GPG signatures of packages (CVE-2020-14365). If you see an error such as ``Failed to validate GPG signature for [package name]``, please ensure that you have imported the correct GPG key for the DNF repository and/or package you are using. One way to do this is with the ``rpm_key`` module. Although we discourage it, in some cases it may be necessary to disable the GPG check. This can be done by explicitly adding ``disable_gpg_check: yes`` in your ``dnf`` or ``yum`` task.
|
||||||
|
|
||||||
|
|
||||||
Modules removed
|
Modules removed
|
||||||
---------------
|
---------------
|
||||||
|
|
|
@ -78,6 +78,8 @@ Modules
|
||||||
* If you changed any tasks to specify less restrictive permissions while using 2.9.12, those changes will be unnecessary (but will do no harm) in 2.9.13.
|
* If you changed any tasks to specify less restrictive permissions while using 2.9.12, those changes will be unnecessary (but will do no harm) in 2.9.13.
|
||||||
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
||||||
|
|
||||||
|
* ``dnf`` and ``yum`` - As of version 2.9.13, the ``dnf`` module (and ``yum`` action when it uses ``dnf``) now correctly validates GPG signatures of packages (CVE-2020-14365). If you see an error such as ``Failed to validate GPG signature for [package name]``, please ensure that you have imported the correct GPG key for the DNF repository and/or package you are using. One way to do this is with the ``rpm_key`` module. Although we discourage it, in some cases it may be necessary to disable the GPG check. This can be done by explicitly adding ``disable_gpg_check: yes`` in your ``dnf`` or ``yum`` task.
|
||||||
|
|
||||||
|
|
||||||
Renaming from ``_facts`` to ``_info``
|
Renaming from ``_facts`` to ``_info``
|
||||||
--------------------------------------
|
--------------------------------------
|
||||||
|
|
|
@ -55,6 +55,8 @@ Modules
|
||||||
* If you changed any tasks to specify less restrictive permissions while using 2.10.0, those changes will be unnecessary (but will do no harm) in 2.10.1.
|
* If you changed any tasks to specify less restrictive permissions while using 2.10.0, those changes will be unnecessary (but will do no harm) in 2.10.1.
|
||||||
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
|
||||||
|
|
||||||
|
* ``dnf`` and ``yum`` - As of version 2.10.1, the ``dnf`` module (and ``yum`` action when it uses ``dnf``) now correctly validates GPG signatures of packages (CVE-2020-14365). If you see an error such as ``Failed to validate GPG signature for [package name]``, please ensure that you have imported the correct GPG key for the DNF repository and/or package you are using. One way to do this is with the ``rpm_key`` module. Although we discourage it, in some cases it may be necessary to disable the GPG check. This can be done by explicitly adding ``disable_gpg_check: yes`` in your ``dnf`` or ``yum`` task.
|
||||||
|
|
||||||
|
|
||||||
Noteworthy module changes
|
Noteworthy module changes
|
||||||
-------------------------
|
-------------------------
|
||||||
|
|
Loading…
Reference in a new issue