Hi all, we’re very happy to announce that Ansible 2.1.3 has been released!
This release fixes many bugs, including the two CVE-related bugs also fixed in the 2.2.0 release:
- Security fix for CVE-2016-8628 - Command injection by compromised server via fact variables. In some situations, facts returned by modules could overwrite connection-based facts or some other special variables, leading to injected commands running on the Ansible controller as the user running Ansible (or via escalated permissions).
- Security fix for CVE-2016-8614 - apt_key module not properly validating keys in some situations.
- Fixed several bugs related to locating files relative to role/playbook directories.
- Fixed a bug in the way hosts were tested for failed states, resulting in incorrectly skipped block sessions.
- Fixed a bug in the way our custom JSON encoder is used for the to_json* filters.
- Fixed some bugs related to the use of non-ascii characters in become passwords.
- Fixed postgres* and subversion modules to ensure password fields were not displayed when no_log=True is used.
- Fixed a bug with Azure modules which may be using the latest rc6 library.
- Backported some docker_common fixes.
As always, this update is available via PyPi and releases.ansible.com now, and packages for distros will be available as soon as possible. We have also created the following PPA for 2.1.x versions:
https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.1
If you discover any errors, or if you see any regressions from playbooks which work on 1.9.x and prior, please open a Github issue and be sure to mention the version of Ansible you’re running.
Thanks, and enjoy!