From 6ddf3dbb9c7b185010c56e2fa42b694e33839009 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 19 Jun 2018 14:57:14 +0000 Subject: [PATCH] Add a CVE-2018-12557 release note Add a security release note for the "credentials leak on ansible unreachable error despite no_log" story. It's added to an existing file so that it will appear in the 3.1.0 section. Change-Id: I1060a964cad9863ce24abe830622370a3dbfbf80 Story: #2002177 Task: #22238 --- .../notes/override-file-matchers-128731229d551d81.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/releasenotes/notes/override-file-matchers-128731229d551d81.yaml b/releasenotes/notes/override-file-matchers-128731229d551d81.yaml index 5fb830f8be..a0b07031ef 100644 --- a/releasenotes/notes/override-file-matchers-128731229d551d81.yaml +++ b/releasenotes/notes/override-file-matchers-128731229d551d81.yaml @@ -7,3 +7,13 @@ upgrade: other job attribute. The final values are used to determine whether the job should ultimately run. - Zuul now uses Ansible 2.5. +security: + - | + Tobias Henkel (BMW Car IT GmbH) discovered a vulnerability which + is fixed in this release. If nodes become offline during the + build, the no_log attribute of a task is ignored. If the + unreachable error occurred in a task used with a loop variable + (e.g., with_items), the contents of the loop items would be + printed in the console. This could lead to accidentally leaking + credentials or secrets. MITRE has assigned CVE-2018-12557 to this + vulnerability.