Hi all, Ansible 2.5.12, 2.6.9, and 2.7.3 were released today. These releases include a fix for a reported security vulnerability CVE-2018-16859 (https://nvd.nist.gov/vuln/detail/CVE-2018-16859), as well as other small bugfixes. Special thanks to community member Igor Turovsky for responsibly reporting this issue.
The fix for CVE-2018-16859 protects Windows hosts from disclosing potentially sensitive information in the Powershell Operational event log via scriptblock logging. If you're automating Windows hosts with Ansible using Powershell 5+, or if you've enabled Powershell module logging on any Powershell version, you should clear the Powershell event logs and lock down access to them. Links to more information and (of course!) an Ansible playbook to handle these tasks for you can be found at https://groups.google.com/forum/#!topic/ansible-project/cxihRiXgg3E. The new releases are available via the usual installation methods on PyPI, https://releases.ansible.com/ansible/, and on GitHub. Detailed installation instructions are available at https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html. Future 2.6 and 2.7 series releases will occur every few weeks. 2.5 will only release for critical security updates. Changelog links for each release and tarball SHAs from releases.ansible.com: - 2.7.3 Changelog: https://github.com/ansible/ansible/blob/v2.7.3/changelogs/CHANGELOG-v2.7.rst SHA256: 3f424d2db33cdf8af8e11b146f211c4f93573247bd5894da6d262610475e642f - 2.6.9 Changelog: https://github.com/ansible/ansible/blob/v2.6.9/changelogs/CHANGELOG-v2.6.rst SHA256: e117948d94b9bf08a78943cc91103f69527292c092075d7d7dd7cfaddad6be8a - 2.5.12 Changelog: https://github.com/ansible/ansible/blob/v2.5.12/changelogs/CHANGELOG-v2.5.rst SHA256: 4fbe88b6f8d94399c4ac99920d35c00fe62bd715ccf4101c2e96cd149820a271 Happy automating! Matt Davis (@nitzmahone) Ansible Core Engineering -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.