This is an updated version of the original release announcement. It has been updated to include CVE details in the "What's new" section.
Hi all- we're happy to announce that the general release of Ansible 2.9.7, 2.8.11, and 2.7.17 are now available! How do you get it? ------------------ $ pip install ansible==2.9.7 --user or $ pip install ansible==2.8.11 --user or $ pip install ansible==2.7.17 --user The tar.gz of the releases can be found here: * 2.9.7 https://releases.ansible.com/ansible/ansible-2.9.7.tar.gz SHA256: 7222ce925536a25b2912364e13b03a3e21dbf2f96799ebff304f48509324de7b * 2.8.11 https://releases.ansible.com/ansible/ansible-2.8.11.tar.gz SHA256: 156caa8b6c60b9f0d5c7d57ee0f4e46d8e226147b58546be6a8ac52925a9c191 * 2.7.17 https://releases.ansible.com/ansible/ansible-2.7.17.tar.gz SHA256: 9fdb79c43f7ad972dc7ccff8a4e9553d623e52dc80b802c619568d3c38f94ccc What's new in 2.9.7, 2.8.11, and 2.7.17 --------------------------------------- These releases are security and maintenance releases containing numerous bugfixes. CVEs fixed in these releases: CVE-2020-1733 - ansible: insecure temporary directory when running become_user from become directive CVE-2020-1735 - ansible: path injection on dest parameter in fetch module CVE-2020-1737 - ansible: Extract-Zip function in win_unzip module does not check extracted path CVE-2020-1739 - ansible: svn module leaks password when specified as a parameter CVE-2020-1740 - ansible: secrets readable after ansible-vault edit CVE-2020-1746 - ansible: information disclosure issue in ldap_attr and ldap_entry modules CVE-2020-1753 - ansible: kubectl connection plugin leaks sensitive information [1] CVE-2020-10684 - ansible: code injection when using ansible_facts as a subkey CVE-2020-10685 - ansible: modules which use files encrypted with vault are not properly cleaned up CVE-2020-10691 - ansible: archive traversal vulnerability in ansible-galaxy collection install [2] Notes: [1] CVE-2020-1753 - Resolved in documentation. Only resolved in Ansible 2.9. [2] CVE-2020-10691 - Affects only Ansible 2.9. The full changelogs are at: * 2.9.7 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst * 2.8.11 https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst * 2.7.17 https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst What's the schedule for future maintenance releases? ---------------------------------------------------- Future maintenance releases will occur approximately every 3 weeks. So expect the next one around 2020-05-07. Porting Help ------------ We've published a porting guide at https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html to help migrate your content to 2.9. If you discover any errors or if any of your working playbooks break when you upgrade to 2.9.7, please use the following link to report the regression: https://github.com/ansible/ansible/issues/new/choose In your issue, be sure to mention the Ansible version that works and the one that doesn't. Thanks! -Matt Clay -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/09fde3ae-32d4-4943-add8-6a0a15ee6812%40googlegroups.com.