Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-add changelogs and add docs for CVE-2020-1736 reverts [2.8] #71516

Merged
merged 5 commits into from Aug 31, 2020
Merged

Re-add changelogs and add docs for CVE-2020-1736 reverts [2.8] #71516

merged 5 commits into from Aug 31, 2020

Conversation

relrod
Copy link
Member

@relrod relrod commented Aug 28, 2020

SUMMARY

Same as #71515

ISSUE TYPE
  • Docs Pull Request
COMPONENT NAME

docs

@relrod
re-add changelogs from CVE-2020-1736 fix
b80ce4d 
Signed-off-by: Rick Elrod <rick@elrod.me>
@relrod
add docs and add changelogs back for CVE-2020-1736
0eb8be8 
Signed-off-by: Rick Elrod <rick@elrod.me>
@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Aug 28, 2020
@relrod relrod requested a review from samdoran August 28, 2020 21:44
samdoran
samdoran reviewed Aug 31, 2020
View reviewed changes
changelogs/fragments/cve-2020-1736-revert.yml Outdated Show resolved Hide resolved
docs/docsite/rst/porting_guides/porting_guide_2.8.rst Outdated Show resolved Hide resolved
docs/docsite/rst/porting_guides/porting_guide_2.8.rst Outdated
@@ -373,6 +373,12 @@ add ``$ErrorActionPreference = "Continue"`` to the top of the module. This chang
of the EAP that was accidentally removed in a previous release and ensure that modules are more resilient to errors
that may occur in execution.

* Version 2.8.14 of Ansible changed the default mode of file-based tasks to ``0o600`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered and no longer consider a flaw in Ansible. As a result, the ``mode`` change has been reverted in 2.8.15, and ``mode`` will now default to ``0o666`` as in previous versions of Ansible.
* Affected modules included known_hosts, service, authorized_key, interfaces_file, pam_limits, pamd, redhat_subscription, selinux, and sysctrl. If you are using Ansible 2.8.14 and seeing new failures in these modules, upgrade to 2.8.15.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list is not complete. We should either list all the modules that call atomic_move, or list none of them.

sysctrl --> sysctl

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are the modules in stable-2.8 that call atomic_move():

apt_repository
assemble
authorized_key
basics/get_url
blockinfile
copy
ini_file
interfaces_file
jenkins_plugin
known_hosts
lineinfile
openssl_dhparam
pam_limits
pamd
redhat_subscription
replace
selinux
service
sysctl

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course, providing this last may or may not lead to more confusion since most of them don't accept mode. 😞

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally didn't list them but @acozine thought it would be helpful. I'm happy with either approach.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I listed the ones that were in the original porting guide entry. We can leave that out, since it seems likely to do more harm than good.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samdoran, I didn't realize there were other affected modules. How about the suggestion below?

@relrod @acozine
Update docs/docsite/rst/porting_guides/porting_guide_2.8.rst
fdb68f6 
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
@relrod relrod merged commit 69827e0 into ansible:stable-2.8 Aug 31, 2020
@sivel sivel removed the needs_triage Needs a first human triage before being processed. label Sep 1, 2020
@ansible ansible locked and limited conversation to collaborators Sep 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@acozine acozine acozine left review comments

@samdoran samdoran samdoran left review comments

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@relrod @acozine @samdoran @sivel @ansibot