6ddf3dbb9c
Add a security release note for the "credentials leak on ansible unreachable error despite no_log" story. It's added to an existing file so that it will appear in the 3.1.0 section. Change-Id: I1060a964cad9863ce24abe830622370a3dbfbf80 Story: #2002177 Task: #22238
20 lines
926 B
YAML
20 lines
926 B
YAML
upgrade:
|
|
- |
|
|
Files (and irrelevant-files) matchers are now overridable. Zuul
|
|
now uses only branch matchers to collect job variants. Once those
|
|
variants are collected, they are combined, and the files and
|
|
irrelevant-files attributes are inherited and overridden as any
|
|
other job attribute. The final values are used to determine
|
|
whether the job should ultimately run.
|
|
- Zuul now uses Ansible 2.5.
|
|
security:
|
|
- |
|
|
Tobias Henkel (BMW Car IT GmbH) discovered a vulnerability which
|
|
is fixed in this release. If nodes become offline during the
|
|
build, the no_log attribute of a task is ignored. If the
|
|
unreachable error occurred in a task used with a loop variable
|
|
(e.g., with_items), the contents of the loop items would be
|
|
printed in the console. This could lead to accidentally leaking
|
|
credentials or secrets. MITRE has assigned CVE-2018-12557 to this
|
|
vulnerability.
|