Hi all,
Ansible 2.6.1, 2.5.6, and 2.4.6 were released today. In addition to various bugfixes (see each release’s changelog for details), these releases each include fixes for two recently-filed security vulnerabilities:
- CVE-2018-10874 (https://access.redhat.com/security/cve/cve-2018-10874)
- CVE-2018-10875 (https://access.redhat.com/security/cve/cve-2018-10875)
The first correction disables Ansible’s long-standing behavior of loading variables (eg group_vars and host_vars) from the current directory (when the current directory is not also where the playbook runs). This mostly affects the ad-hoc “ansible” command. To force the ad-hoc runner to load vars from the current directory, add the command-line arg “–playbook-dir=.”. The second correction disables the loading of ansible.cfg from the current directory when the current directory is world-writable. Warning text will be displayed when a config file has been ignored for this reason.
The new releases are available via the usual installation methods on PyPI, https://releases.ansible.com/ansible/, and on GitHub. Detailed installation instructions are available at https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html.
Future 2.6 and 2.5 series releases will occur every 2-3 weeks. 2.4 will only receive security updates going forward.
Release tarball SHAs from releases.ansible.com:
- 2.6.1 SHA256: a1fc205286344c5d7bda36b503c273f5b348b06a23f86d52ddddd6afa01cad3c
- 2.5.6 SHA256: 65ef5952f4e319343c5ffb9d000f0f4b974fcc55812df392863f9423ffb91dd7
- 2.4.6 SHA256: f8cb44f76710faf88fc7dc0c703a3f39fe8a3bb1b98eb70506ef2cddf7e3e0c0
Happy automating!
Matt Davis (@nitzmahone)
Ansible Core Engineering / 2.5 release manager