f509a22f9d
* use security_fix category in changelogs for CVEs * these fragments do not say CVE but are security fixes Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
12 lines
615 B
YAML
12 lines
615 B
YAML
security_fixes:
|
|
- >
|
|
**security issue** - Convert CLI provided passwords to text initially, to
|
|
prevent unsafe context being lost when converting from bytes->text during
|
|
post processing of PlayContext. This prevents CLI provided passwords from
|
|
being incorrectly templated (CVE-2019-14856)
|
|
- >
|
|
**security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
|
|
to maintain unsafe context by overriding ``.encode`` and ``.decode``. This
|
|
prevents future issues with ``to_text``, ``to_bytes``, or ``to_native``
|
|
removing the unsafe wrapper when converting between string types
|
|
(CVE-2019-14856)
|