From f509a22f9d1ec4ef9ca265f35bbf05fac981e680 Mon Sep 17 00:00:00 2001 From: Alicia Cozine <879121+acozine@users.noreply.github.com> Date: Thu, 11 Jun 2020 12:24:01 -0500 Subject: [PATCH] add changelog categories, update CVE fragments to use security_fix category (#69968) * use security_fix category in changelogs for CVEs * these fragments do not say CVE but are security fixes Co-authored-by: Alicia Cozine --- changelogs/config.yaml | 2 ++ changelogs/fragments/62237-keep-unsafe-context.yml | 2 +- changelogs/fragments/ansible-test-cloud-secrets.yml | 2 +- changelogs/fragments/dont-template-cli-passwords.yml | 2 +- changelogs/fragments/fetch_no_slurp.yml | 2 +- changelogs/fragments/galaxy-install-tar-path-traversal.yaml | 2 +- changelogs/fragments/no-log-sub-options-invalid-parameter.yaml | 2 +- changelogs/fragments/remote_mkdir_fix.yml | 2 +- changelogs/fragments/subversion_password.yaml | 2 +- changelogs/fragments/vault_tmp_race_fix.yml | 2 +- changelogs/fragments/win-unzip-check-extraction-path.yml | 2 +- 11 files changed, 12 insertions(+), 10 deletions(-) diff --git a/changelogs/config.yaml b/changelogs/config.yaml index c1169f7b3cf..2a7802afcac 100644 --- a/changelogs/config.yaml +++ b/changelogs/config.yaml @@ -7,7 +7,9 @@ new_plugins_after_name: removed_features sections: - ['major_changes', 'Major Changes'] - ['minor_changes', 'Minor Changes'] +- ['breaking_changes', 'Breaking Changes / Porting Guide'] - ['deprecated_features', 'Deprecated Features'] - ['removed_features', 'Removed Features (previously deprecated)'] +- ['security_fixes', 'Security Fixes'] - ['bugfixes', 'Bugfixes'] - ['known_issues', 'Known Issues'] diff --git a/changelogs/fragments/62237-keep-unsafe-context.yml b/changelogs/fragments/62237-keep-unsafe-context.yml index e4513e7e484..a7f40246776 100644 --- a/changelogs/fragments/62237-keep-unsafe-context.yml +++ b/changelogs/fragments/62237-keep-unsafe-context.yml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** - TaskExecutor - Ensure we don't erase unsafe context in TaskExecutor.run on bytes. Only present in 2.9.0beta1 diff --git a/changelogs/fragments/ansible-test-cloud-secrets.yml b/changelogs/fragments/ansible-test-cloud-secrets.yml index b7e19fab22c..c8a5f3e45be 100644 --- a/changelogs/fragments/ansible-test-cloud-secrets.yml +++ b/changelogs/fragments/ansible-test-cloud-secrets.yml @@ -1,3 +1,3 @@ -bugfixes: +security_fixes: - > **security issue** - Redact cloud plugin secrets in ansible-test when running integration tests using cloud plugins. Only present in 2.9.0b1. diff --git a/changelogs/fragments/dont-template-cli-passwords.yml b/changelogs/fragments/dont-template-cli-passwords.yml index 5c8dbea7e19..86809bf50f1 100644 --- a/changelogs/fragments/dont-template-cli-passwords.yml +++ b/changelogs/fragments/dont-template-cli-passwords.yml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during diff --git a/changelogs/fragments/fetch_no_slurp.yml b/changelogs/fragments/fetch_no_slurp.yml index 216e51e4937..4ca41f66e05 100644 --- a/changelogs/fragments/fetch_no_slurp.yml +++ b/changelogs/fragments/fetch_no_slurp.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - In fetch action, avoid using slurp return to set up dest, also ensure no dir traversal CVE-2020-1735. diff --git a/changelogs/fragments/galaxy-install-tar-path-traversal.yaml b/changelogs/fragments/galaxy-install-tar-path-traversal.yaml index c2382bf4bf7..3c1e7e26b39 100644 --- a/changelogs/fragments/galaxy-install-tar-path-traversal.yaml +++ b/changelogs/fragments/galaxy-install-tar-path-traversal.yaml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - ansible-galaxy - Error when install finds a tar with a file that will be extracted outside the collection install directory - CVE-2020-10691 diff --git a/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml b/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml index 79019d64cfe..c65fa1a706c 100644 --- a/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml +++ b/changelogs/fragments/no-log-sub-options-invalid-parameter.yaml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - '**security issue** - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module (CVE-2019-14858)' diff --git a/changelogs/fragments/remote_mkdir_fix.yml b/changelogs/fragments/remote_mkdir_fix.yml index 0efdbb6660c..eb158b33e8a 100644 --- a/changelogs/fragments/remote_mkdir_fix.yml +++ b/changelogs/fragments/remote_mkdir_fix.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733 diff --git a/changelogs/fragments/subversion_password.yaml b/changelogs/fragments/subversion_password.yaml index 42e09fb1a07..e9d59c2774c 100644 --- a/changelogs/fragments/subversion_password.yaml +++ b/changelogs/fragments/subversion_password.yaml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** - The ``subversion`` module provided the password via the svn command line option ``--password`` and can be retrieved diff --git a/changelogs/fragments/vault_tmp_race_fix.yml b/changelogs/fragments/vault_tmp_race_fix.yml index 5807e17ac3b..aa0ee48dcbd 100644 --- a/changelogs/fragments/vault_tmp_race_fix.yml +++ b/changelogs/fragments/vault_tmp_race_fix.yml @@ -1,2 +1,2 @@ -bugfixes: +security_fixes: - "**security_issue** - create temporary vault file with strict permissions when editing and prevent race condition (CVE-2020-1740)" diff --git a/changelogs/fragments/win-unzip-check-extraction-path.yml b/changelogs/fragments/win-unzip-check-extraction-path.yml index 1a6b6133d66..0a6f7f1fda2 100644 --- a/changelogs/fragments/win-unzip-check-extraction-path.yml +++ b/changelogs/fragments/win-unzip-check-extraction-path.yml @@ -1,4 +1,4 @@ -bugfixes: +security_fixes: - > **security issue** win_unzip - normalize paths in archive to ensure extracted files do not escape from the target directory (CVE-2020-1737)