Fix for plugins which used the boto libraries leaking the boto creden… #63366
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
…tials to logs
SUMMARY
CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
boto3 library from the Ansible process. The boto3 library logs credentials at log level
DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
set the global log level to DEBUG. This was inherited by boto and would then log boto
credentials to the file specified by LOG_PATH. This did not affect aws ansible modules
as those are executed in a separate process. This has been fixed by switching to log
level INFO"
ISSUE TYPE
COMPONENT NAME
lib/ansible/utils/display.py