We are happy to announce that Ansible 2.2.3 FINAL is now available. Additionally, 2.1.6rc1 and 2.3.1rc1 are also available for testing.
All of these releases address at least one CVE (listed below). Users of 2.2.x should upgrade to 2.2.3 as soon as possible. The CVE impacting 2.1.x and 2.3.0 is MODERATE in nature, however users should look to upgrade as soon as the final releases are done.
For the 2.2.3-1 FINAL release:
- [SECURITY] (HIGH): fix for CVE-2017-7466, which was caused by an incomplete cherry-picking of commits related to CVE-2016-9587.
- [SECURITY] (MODERATE): fix for CVE-2017-7481, in which data for lookup plugins used as variables was not being correctly marked as “unsafe”.
- Fixes a bug when using YAML inventory where hosts were not put in the ‘all’ group, and some other ‘ungrouped’ issues in inventory.
- Fixes a bug when using ansible commands without a tty for stdin.
- Split on newlines when searching for become prompt.
- Fix crash upon pass prompt in py3 when using the paramiko connection type.
For 2.3.1 RC1:
- SECURITY (MODERATE): fix for CVE-2017-7481, in which data for lookup plugins used as variables was not being correctly marked as “unsafe”.
For 2.1.6 RC1:
- SECURITY (MODERATE): fix for CVE-2017-7481, in which data for lookup plugins used as variables was not being correctly marked as “unsafe”.
For all of these releases, the fix for CVE-2017-7481 may be a breaking change. Data returned by lookups is now forced to be unsafe, which means it will no longer be templated. To allow the old behavior, users have two options:
- Add
allow_unsafe=Trueto your lookup calls. For example:{{lookup('pipe', '/path/to/some/command', allow_unsafe=True)}} - Add
allow_unsafe_lookups=yesto your ansible.cfg.
NOTE Using #2 above will disable all unsafe protections for lookups, including those used for with_* loops, and is not recommended.
How do you get it?