Re-add changelogs and add docs for CVE-2020-1736 reverts [2.8]

changelogs/fragments/67794-atomic_move-default-perms.yml

@@ -0,0 +1,4 @@
+security_fixes:
+  - >
+    **security issue** atomic_move - change default permissions when creating
+    temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736)

changelogs/fragments/67794-default-permissions-warning-fix.yml

@@ -0,0 +1,4 @@
+security_fixes:
+  - >
+    Fix warning for default permission change when no mode is specified. Follow up
+    to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736)

changelogs/fragments/cve-2020-1736-revert.yml

@@ -0,0 +1,2 @@
+security_fixes:
+  - The fix for CVE-2020-1736 has been reverted. Users are encouraged to specify a ``mode`` parameter in their file-based tasks when the files being manipulated contain sensitive data.

docs/docsite/rst/porting_guides/porting_guide_2.8.rst

@@ -373,6 +373,12 @@ add ``$ErrorActionPreference = "Continue"`` to the top of the module. This chang
 of the EAP that was accidentally removed in a previous release and ensure that modules are more resilient to errors
 that may occur in execution.
 
+* Version 2.8.14 of Ansible changed the default mode of file-based tasks to ``0o600 & ~umask`` when the user did not specify a ``mode`` parameter on file-based tasks. This was in response to a CVE report which we have reconsidered. As a result, the ``mode`` change has been reverted in 2.8.15, and ``mode`` will now default to ``0o666 & ~umask`` as in previous versions of Ansible.
+* If you changed any tasks to specify less restrictive permissions while using 2.8.14, those changes will be unnecessary (but will do no harm) in 2.8.15.
+* To avoid the issue raised in CVE-2020-1736, specify a ``mode`` parameter in all file-based tasks that accept it.
+
+
+
 Modules removed
 ---------------