Hi all,
Ansible 2.5.12, 2.6.9, and 2.7.3 were released today. These releases include a fix for a reported security vulnerability CVE-2018-16859 (https://nvd.nist.gov/vuln/detail/CVE-2018-16859), as well as other small bugfixes. Special thanks to community member Igor Turovsky for responsibly reporting this issue.
The fix for CVE-2018-16859 protects Windows hosts from disclosing potentially sensitive information in the Powershell Operational event log via scriptblock logging. If you’re automating Windows hosts with Ansible using Powershell 5+, or if you’ve enabled Powershell module logging on any Powershell version, you should clear the Powershell event logs and lock down access to them. Links to more information and (of course!) an Ansible playbook to handle these tasks for you can be found at https://groups.google.com/forum/#!topic/ansible-project/cxihRiXgg3E.
The new releases are available via the usual installation methods on PyPI, https://releases.ansible.com/ansible/, and on GitHub. Detailed installation instructions are available at https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html.
Future 2.6 and 2.7 series releases will occur every few weeks. 2.5 will only release for critical security updates.
Changelog links for each release and tarball SHAs from releases.ansible.com:
-
2.7.3
Changelog: https://github.com/ansible/ansible/blob/v2.7.3/changelogs/CHANGELOG-v2.7.rst
SHA256: 3f424d2db33cdf8af8e11b146f211c4f93573247bd5894da6d262610475e642f -
2.6.9
Changelog: https://github.com/ansible/ansible/blob/v2.6.9/changelogs/CHANGELOG-v2.6.rst
SHA256: e117948d94b9bf08a78943cc91103f69527292c092075d7d7dd7cfaddad6be8a -
2.5.12
Changelog: https://github.com/ansible/ansible/blob/v2.5.12/changelogs/CHANGELOG-v2.5.rst
SHA256: 4fbe88b6f8d94399c4ac99920d35c00fe62bd715ccf4101c2e96cd149820a271
Happy automating!
Matt Davis (@nitzmahone)
Ansible Core Engineering