Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for plugins which used the boto libraries leaking the boto creden… #63366

Merged
merged 1 commit into from Oct 11, 2019

Conversation

abadger
Copy link
Contributor

@abadger abadger commented Oct 11, 2019

…tials to logs

SUMMARY

CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
boto3 library from the Ansible process. The boto3 library logs credentials at log level
DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
set the global log level to DEBUG. This was inherited by boto and would then log boto
credentials to the file specified by LOG_PATH. This did not affect aws ansible modules
as those are executed in a separate process. This has been fixed by switching to log
level INFO"

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

lib/ansible/utils/display.py

abadger added a commit to abadger/ansible that referenced this pull request Oct 11, 2019
abadger added a commit to abadger/ansible that referenced this pull request Oct 11, 2019
@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Oct 11, 2019
abadger added a commit to abadger/ansible that referenced this pull request Oct 11, 2019
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. and removed core_review In order to be merged, this PR must follow the core review workflow. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Oct 11, 2019
@abadger abadger merged commit cb0f535 into ansible:stable-2.8 Oct 11, 2019
@abadger abadger deleted the fix-boto-logging-issues branch October 11, 2019 04:21
@abadger
Copy link
Contributor Author

abadger commented Oct 11, 2019

Merged for the 2.8.6 release

abadger added a commit that referenced this pull request Oct 11, 2019
abadger added a commit that referenced this pull request Oct 11, 2019
@sivel sivel removed the needs_triage Needs a first human triage before being processed. label Oct 11, 2019
@ansible ansible locked and limited conversation to collaborators Nov 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants