Hi On the release dir, the new file reads:
ansible-1.6.tar.gz 10-Mar-2014 23:13 532K I'm guessing this is a typo?? On Monday, 10 March 2014 23:23:45 UTC, Michael DeHaan wrote: > > Ansible 1.5.1 Release Notes > > Today we’re releasing Ansible 1.5.1 which contains three security > fixes/upgrades as well as a few assorted bugfixes that have been applied > since the 1.5 release. An upgrade is suggested for all users using vault, > interacting with web-properties over https://, or those users allowing > outside untrusted input to be passed as variables to their ansible > playbooks. > > The security improvements are as follows: > > Ansible Vault has been updated in terms of how the cipher logic has been > implemented to make the content harder to brute force. Using the “edit” or > “rekey” functions in vault will automatically upgrade an existing > vault-encrypted file to the new format, and the new format is also the > method used for any new files that vault creates. Users are encouraged to > upgrade their content as follows, and should also consider changing any > passwords or keys in vault-encrypted files to take advantage of security > upgrades, as the previous versions would still exist in SCM history or may > have been copied by another party. > > cd your_playbook_directory/ > > find . -type f | xargs grep -l '$ANSIBLE_VAULT;1.0;AES' | xargs > ansible-vault rekey > > Note that the version of pycrypto Vault now needs is newer than what is > carried in the base channel of Red Hat and CentOS, so if you are using this > distribution you may benefit from: > > yum install python-devel > > rpm -e --nodeps python-crypto > > pip install pycrypto > > If you have a downlevel version the system will warn you about this. If > you are using vault, you need not worry about this dependency. > > Core ansible modules (other than the shell module) have been upgraded to > avoid running user input through the shell. Some ansible users have > proxied ansible behind a wrapper script or web proxy (including Ansible > Tower), that allows users who do not personally have access to machines to > be able to supply variables as input into playbook executions. This > includes doing things such as providing a value to “--extra-args” that > might contain a semicolon, allowing them to run commands as a remote user. > Removing the ability to use the shell in all of these modules prevents > command injection in this case. The shell module by design executes > commands through the shell, so if user supplied variables are being fed to > things executed by the shell module, consider using the “command” module > instead or whether users supplying input are trustworthy. User developed > modules can take advantage of these upgrades by using the “run_command” > function in “module_utils”, which will by default not allow any form of > shell usage, which is now standard and required for all ansible modules in > core. Regardless of this fix application, users of ansible should realize > that any user that is allowed to write playbooks can control the systems > upon which the playbooks are applied, which is intentional and by design. > > Finally, code that performs URL downloads of https:// URLs has been > upgraded to validate the certificates where possible, unless a new > parameter “validate_certs=no” is passed to the module. This ensures that > web servers that are interacted with are signed by a known certificate > authority. It is very likely that this may require playbook alteration to > add a “validate_certs=no” to any modules like “get_url” that interact with > self-signed web services, such as continuous integration servers. In the > event that this should occur, the playbook will report an appropriate error > message and reference the ability to add “validate_certs=no” to get around > the error message. > > Ansible 1.5.1 is available now on http://releases.ansible.com as well as > the python package index, via “pip install ansible”. It is anticipated > that distribution copies of the package, as well as other repositories, > will pick this up soon. > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7aaa732d-2734-4e47-a4e7-3fcae44c44a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
