Change:
- By default the dnf API does not gpg-verify packages. This is a feature
that is executed in its CLI code. It never made it into Ansible's
usage of the API, so packages were previously not verified.
- This fixes CVE-2020-14365.
Test Plan:
- New integration tests
Signed-off-by: Rick Elrod <rick@elrod.me>
* psrp - use native copy mechanism (#71409)
* psrp - use native copy mechanism
* Fix sanity issues
* Split the bugfix and deprecation into separate changelog fragments
(cherry picked from commit 985ba187b2)
* Remove deprecations for backport
The message generated by systemctl has been updated in 9321e23c40, which requires a corresponding change in the systemd module.
In addition, this fixes the module when the SYSTEMD_OFFLINE environment variable is set.
(cherry picked from commit a1a50bb3cd)
* tests: Use `hg serve` instead of bitbucket for hg
Change:
- Uses `hg serve` instead of a bitbucket repo for hg tests
- bitbucket no longer serves hg
Test Plan:
- CI, fixed integration tests
Signed-off-by: Rick Elrod <rick@elrod.me>
* Disable mongodb_replicaset tests for now
Change:
- 4.0.20 breaks tests, disable for now
Test Plan:
- CI
Tickets:
- https://github.com/ansible-collections/community.mongodb/issues/136
Signed-off-by: Rick Elrod <rick@elrod.me>
* setup_mongodb: Nix RH package installation/removal
Change:
- Our RHEL and CentOS images make these unnecessary and they were
broken.
Test Plan:
- CI
Signed-off-by: Rick Elrod <rick@elrod.me>
* Disable mongodb_shard tests for now
Change:
- 4.0.20 breaks tests, disable for now
Test Plan:
- CI
Tickets:
- https://github.com/ansible-collections/community.mongodb/issues/136
Signed-off-by: Rick Elrod <rick@elrod.me>
* adds year-round link to AnsibleFest from the Ansible docs index page
Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
(cherry picked from commit ae3b8eec12)
* Ensure -k is set to delegated hosts without a pass (#71136)
* Ensure -k is set to delegated hosts without a pass
* Fix up some broken tests
* Update task_executor.py
one possible fix, the other is updating winrm to normalize on 'password' like the other connection plugins
* Add alias for winrm and fix incorrect assumption
* Make sure aliases are used for keyword options
* Conditionally run test if sshpass is present, fix sanity
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
(cherry picked from commit 3f22f79e73)
* Backport subset of https://github.com/ansible/ansible/pull/69670
* reset logging to INFO (#70878)
- due to CVE-2019-14846
- also added comments and test to avoid 'oportunistic' reversion
(cherry picked from commit 1223ce656a)
* Update keep_log_at_info.yml
Co-authored-by: Rick Elrod <rick@elrod.me>
* template connection variables accessed directly before using (#70657)
* template variables accessed directly when using them instead of FieldAttributes
(cherry picked from commit 8c213c9334)
* changelog
* Detect failure in always block after rescue (#70094)
* Detect failure in always block after rescue
Fixes#70000
ci_complete
* Add more tests
(cherry picked from commit 0ed5b77377)
* add changelog
Co-authored-by: Matt Davis <mrd@redhat.com>
* Allow hostvars delegation (#70331)
* ensure hostvars are available on delegation
* also inventory_hostname must point to current host and not delegated one
* fix get_connection since it was still mixing original host vars and delegated ones
* also return connection vars for delegation and non delegation alike
* add test to ensure we have expected usage when directly assigning for non delegated host
(cherry picked from commit 84adaba6f5)
* avoid returning more data
* remove unused return vars
* Encode/Decode files in UTF-8
* Use helper function in ansible
* Add an integration test
* Use emoji in test data.
* add changelog
* Also support non-ascii chars in filepath and add tests about this.
* Also use non-ascii chars in replaced text and ensure not to break cron syntax.
* rename self.existing to self.n_existing
* rename crontab.existing to crontab.n_existing.
(cherry picked from commit 5ce47646ad)
Co-authored-by: psi / Ryo Hirafuji <ryo.hirafuji@link-u.co.jp>
* try removing name references for state=absent
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: psi / Ryo Hirafuji <ryo.hirafuji@link-u.co.jp>
Co-authored-by: Rick Elrod <rick@elrod.me>
* [stable-2.9] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix jboss test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry-picked from commit dc79528cc6)
* Use new category in changelog fragments
Sam Doran