Add a CVE-2018-12557 release note

Add a security release note for the "credentials leak on ansible
unreachable error despite no_log" story. It's added to an existing
file so that it will appear in the 3.1.0 section.

Change-Id: I1060a964cad9863ce24abe830622370a3dbfbf80
Story: #2002177
Task: #22238
This commit is contained in:
Jeremy Stanley 2018-06-19 14:57:14 +00:00
parent de3187a356
commit 6ddf3dbb9c

View File

@ -7,3 +7,13 @@ upgrade:
other job attribute. The final values are used to determine
whether the job should ultimately run.
- Zuul now uses Ansible 2.5.
security:
- |
Tobias Henkel (BMW Car IT GmbH) discovered a vulnerability which
is fixed in this release. If nodes become offline during the
build, the no_log attribute of a task is ignored. If the
unreachable error occurred in a task used with a loop variable
(e.g., with_items), the contents of the loop items would be
printed in the console. This could lead to accidentally leaking
credentials or secrets. MITRE has assigned CVE-2018-12557 to this
vulnerability.