Re-add changelogs and add docs for CVE-2020-1736 reverts [2.9] (#71515)

Signed-off-by: Rick Elrod <rick@elrod.me>
pull/71551/head
Rick Elrod 4 years ago committed by GitHub
parent dfaadf6f33
commit 7eec8e4d26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,4 @@
security_fixes:
- >
**security issue** atomic_move - change default permissions when creating
temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736)

@ -0,0 +1,4 @@
security_fixes:
- >
Fix warning for default permission change when no mode is specified. Follow up
to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736)

@ -0,0 +1,2 @@
security_fixes:
- The fix for CVE-2020-1736 has been reverted. Users are encouraged to specify a ``mode`` parameter in their file-based tasks when the files being manipulated contain sensitive data.

@ -113,6 +113,10 @@ Writing modules
.. seealso:: `The Python Relative Import Docs <https://www.python.org/dev/peps/pep-0328/#guido-s-decision>`_ go into more detail of how to write relative imports. .. seealso:: `The Python Relative Import Docs <https://www.python.org/dev/peps/pep-0328/#guido-s-decision>`_ go into more detail of how to write relative imports.
* Version 2.9.12 of Ansible changed the default mode of file-based tasks to ``0o600`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered and no longer consider a flaw in Ansible. As a result, the ``mode`` change has been reverted in 2.9.13, and ``mode`` will now default to ``0o666`` as in previous versions of Ansible.
* If you changed any tasks to specify less restrictive permissions while using 2.9.12, those changes will be unnecessary (but will do no harm) in 2.9.13.
* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
Modules removed Modules removed
--------------- ---------------

Loading…
Cancel
Save