1.6 is the current development branch
On 11 March 2014 12:16, Makimoto Marakatti <makim...@gmail.com> wrote: > Hi > > On the release dir, the new file reads: > > ansible-1.6.tar.gz 10-Mar-2014 23:13 532K > > I'm guessing this is a typo?? > > > > On Monday, 10 March 2014 23:23:45 UTC, Michael DeHaan wrote: >> >> Ansible 1.5.1 Release Notes >> >> Today we’re releasing Ansible 1.5.1 which contains three security >> fixes/upgrades as well as a few assorted bugfixes that have been applied >> since the 1.5 release. An upgrade is suggested for all users using vault, >> interacting with web-properties over https://, or those users allowing >> outside untrusted input to be passed as variables to their ansible >> playbooks. >> >> The security improvements are as follows: >> >> Ansible Vault has been updated in terms of how the cipher logic has been >> implemented to make the content harder to brute force. Using the “edit” or >> “rekey” functions in vault will automatically upgrade an existing >> vault-encrypted file to the new format, and the new format is also the >> method used for any new files that vault creates. Users are encouraged to >> upgrade their content as follows, and should also consider changing any >> passwords or keys in vault-encrypted files to take advantage of security >> upgrades, as the previous versions would still exist in SCM history or may >> have been copied by another party. >> >> cd your_playbook_directory/ >> >> find . -type f | xargs grep -l '$ANSIBLE_VAULT;1.0;AES' | xargs >> ansible-vault rekey >> >> Note that the version of pycrypto Vault now needs is newer than what is >> carried in the base channel of Red Hat and CentOS, so if you are using this >> distribution you may benefit from: >> >> yum install python-devel >> >> rpm -e --nodeps python-crypto >> >> pip install pycrypto >> >> If you have a downlevel version the system will warn you about this. If >> you are using vault, you need not worry about this dependency. >> >> Core ansible modules (other than the shell module) have been upgraded to >> avoid running user input through the shell. Some ansible users have >> proxied ansible behind a wrapper script or web proxy (including Ansible >> Tower), that allows users who do not personally have access to machines to >> be able to supply variables as input into playbook executions. This >> includes doing things such as providing a value to “--extra-args” that >> might contain a semicolon, allowing them to run commands as a remote user. >> Removing the ability to use the shell in all of these modules prevents >> command injection in this case. The shell module by design executes >> commands through the shell, so if user supplied variables are being fed to >> things executed by the shell module, consider using the “command” module >> instead or whether users supplying input are trustworthy. User developed >> modules can take advantage of these upgrades by using the “run_command” >> function in “module_utils”, which will by default not allow any form of >> shell usage, which is now standard and required for all ansible modules in >> core. Regardless of this fix application, users of ansible should realize >> that any user that is allowed to write playbooks can control the systems >> upon which the playbooks are applied, which is intentional and by design. >> >> Finally, code that performs URL downloads of https:// URLs has been >> upgraded to validate the certificates where possible, unless a new >> parameter “validate_certs=no” is passed to the module. This ensures that >> web servers that are interacted with are signed by a known certificate >> authority. It is very likely that this may require playbook alteration to >> add a “validate_certs=no” to any modules like “get_url” that interact with >> self-signed web services, such as continuous integration servers. In the >> event that this should occur, the playbook will report an appropriate error >> message and reference the ability to add “validate_certs=no” to get around >> the error message. >> >> Ansible 1.5.1 is available now on http://releases.ansible.com as well as >> the python package index, via “pip install ansible”. It is anticipated >> that distribution copies of the package, as well as other repositories, >> will pick this up soon. >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/7aaa732d-2734-4e47-a4e7-3fcae44c44a7%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/7aaa732d-2734-4e47-a4e7-3fcae44c44a7%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAN4dctq%2BWY0J_mg1kpCfbz7brFNuwH_Bi0H-a-e3yXXHTHOhpA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
