From 3d5217b6d53842e669102cb454e9ba296b3dcfdb Mon Sep 17 00:00:00 2001 From: Alicia Cozine Date: Tue, 9 Jun 2020 12:03:14 -0500 Subject: [PATCH] use security_fix category in changelogs --- changelogs/config.yaml | 2 ++ changelogs/fragments/dont-template-cli-passwords.yml | 2 +- changelogs/fragments/fetch_no_slurp.yml | 2 +- changelogs/fragments/galaxy-install-tar-path-traversal.yaml | 2 +- changelogs/fragments/no-log-sub-options-invalid-parameter.yaml | 2 +- changelogs/fragments/remote_mkdir_fix.yml | 2 +- changelogs/fragments/subversion_password.yaml | 2 +- changelogs/fragments/vault_tmp_race_fix.yml | 2 +- changelogs/fragments/win-unzip-check-extraction-path.yml | 2 +- 9 files changed, 10 insertions(+), 8 deletions(-) diff --git a/changelogs/config.yaml b/changelogs/config.yaml index c1169f7b3cf..2a7802afcac 100644 --- a/changelogs/config.yaml +++ b/changelogs/config.yaml @@ -7,7 +7,9 @@ new_plugins_after_name: removed_features sections: - ['major_changes', 'Major Changes'] - ['minor_changes', 'Minor Changes'] +- ['breaking_changes', 'Breaking Changes / Porting Guide'] - ['deprecated_features', 'Deprecated Features'] - ['removed_features', 'Removed Features (previously deprecated)'] +- ['security_fixes', 'Security Fixes'] - ['bugfixes', 'Bugfixes'] - ['known_issues', 'Known Issues'] diff --git a/changelogs/fragments/dont-template-cli-passwords.yml b/changelogs/fragments/dont-template-cli-passwords.yml index 5c8dbea7e19..86809bf50f1 100644 --- a/changelogs/fragments/dont-template-cli-passwords.yml +++ b/changelogs/fragments/dont-template-cli-passwords.yml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during diff --git a/changelogs/fragments/fetch_no_slurp.yml b/changelogs/fragments/fetch_no_slurp.yml index 216e51e4937..4ca41f66e05 100644 --- a/changelogs/fragments/fetch_no_slurp.yml +++ b/changelogs/fragments/fetch_no_slurp.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2020-1735. diff --git a/changelogs/fragments/galaxy-install-tar-path-traversal.yaml b/changelogs/fragments/galaxy-install-tar-path-traversal.yaml index c2382bf4bf7..3c1e7e26b39 100644 --- a/changelogs/fragments/galaxy-install-tar-path-traversal.yaml +++ b/changelogs/fragments/galaxy-install-tar-path-traversal.yaml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - ansible-galaxy - Error when install finds a tar with a file that will be extracted outside the collection install directory - CVE-2020-10691 diff --git a/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml b/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml index 79019d64cfe..c65fa1a706c 100644 --- a/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml +++ b/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - '**security issue** - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module (CVE-2019-14858)' diff --git a/changelogs/fragments/remote_mkdir_fix.yml b/changelogs/fragments/remote_mkdir_fix.yml index 0efdbb6660c..eb158b33e8a 100644 --- a/changelogs/fragments/remote_mkdir_fix.yml +++ b/changelogs/fragments/remote_mkdir_fix.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733 diff --git a/changelogs/fragments/subversion_password.yaml b/changelogs/fragments/subversion_password.yaml index 42e09fb1a07..e9d59c2774c 100644 --- a/changelogs/fragments/subversion_password.yaml +++ b/changelogs/fragments/subversion_password.yaml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** - The ``subversion`` module provided the password via the svn command line option ``--password`` and can be retrieved diff --git a/changelogs/fragments/vault_tmp_race_fix.yml b/changelogs/fragments/vault_tmp_race_fix.yml index 5807e17ac3b..aa0ee48dcbd 100644 --- a/changelogs/fragments/vault_tmp_race_fix.yml +++ b/changelogs/fragments/vault_tmp_race_fix.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - "**security_issue** - create temporary vault file with strict permissions when editing and prevent race condition (CVE-2020-1740)" diff --git a/changelogs/fragments/win-unzip-check-extraction-path.yml b/changelogs/fragments/win-unzip-check-extraction-path.yml index 1a6b6133d66..0a6f7f1fda2 100644 --- a/changelogs/fragments/win-unzip-check-extraction-path.yml +++ b/changelogs/fragments/win-unzip-check-extraction-path.yml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** win_unzip - normalize paths in archive to ensure extracted files do not escape from the target directory (CVE-2020-1737)