Add a CVE-2018-12557 release note
Add a security release note for the "credentials leak on ansible unreachable error despite no_log" story. It's added to an existing file so that it will appear in the 3.1.0 section. Change-Id: I1060a964cad9863ce24abe830622370a3dbfbf80 Story: #2002177 Task: #22238
This commit is contained in:
parent
de3187a356
commit
6ddf3dbb9c
@ -7,3 +7,13 @@ upgrade:
|
||||
other job attribute. The final values are used to determine
|
||||
whether the job should ultimately run.
|
||||
- Zuul now uses Ansible 2.5.
|
||||
security:
|
||||
- |
|
||||
Tobias Henkel (BMW Car IT GmbH) discovered a vulnerability which
|
||||
is fixed in this release. If nodes become offline during the
|
||||
build, the no_log attribute of a task is ignored. If the
|
||||
unreachable error occurred in a task used with a loop variable
|
||||
(e.g., with_items), the contents of the loop items would be
|
||||
printed in the console. This could lead to accidentally leaking
|
||||
credentials or secrets. MITRE has assigned CVE-2018-12557 to this
|
||||
vulnerability.
|
||||
|
Loading…
Reference in New Issue
Block a user