* Fix CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487
Changelog:
2014-06-12 12:28 Christos Zoulas <christos@zoulas.com>
* release 5.19
2014-06-09 9:04 Christos Zoulas <christos@zoulas.com>
* Misc buffer overruns and missing buffer size tests in cdf parsing
(Francisco Alonso, Jan Kaluza)
2014-06-02 14:50 Christos Zoulas <christos@zoulas.com>
* Enforce limit of 8K on regex searches that have no limits
* Allow the l modifier for regex to mean line count. Default
to byte count. If line count is specified, assume a max
of 80 characters per line to limit the byte count.
* Don't allow conversions to be used for dates, allowing
the mask field to be used as an offset.
2014-05-30 12:51 Christos Zoulas <christos@zoulas.com>
* Make the range operator limit the length of the
regex search.
2014-05-14 19:23 Christos Zoulas <christos@zoulas.com>
* 347: Windows fixes
* 352: Hangul word processor recognition
* 354: Encoding irregularities in text files
2014-05-06 6:12 Christos Zoulas <christos@zoulas.com>
* Fix uninitialized title in CDF files (Jan Kaluza)
2014-05-04 14:55 Christos Zoulas <christos@zoulas.com>
* 351: Fix compilation of empty files
2014-04-30 17:39 Christos Zoulas <christos@zoulas.com>
* Fix integer formats: We don't specify 'l' or
'h' and 'hh' specifiers anymore, only 'll' for
quads and nothing for the rest. This is so that
magic writing is simpler.
2014-04-01 15:25 Christos Zoulas <christos@zoulas.com>
* 341: Jan Kaluza, fix memory leak
* 342: Jan Kaluza, fix out of bounds read
2014-03-28 15:25 Christos Zoulas <christos@zoulas.com>
* Fix issue with long formats not matching fmtcheck
D-Bus 1.8.6 (2014-06-02)
==
Security fixes:
• On Linux ≥ 2.6.37-rc4, if sendmsg() fails with ETOOMANYREFS, silently drop
the message. This prevents an attack in which a malicious client can
make dbus-daemon disconnect a system service, which is a local
denial of service.
(fd.o #80163, CVE-2014-3532; Alban Crequy)
• Track remaining Unix file descriptors correctly when more than one
message in quick succession contains fds. This prevents another attack
in which a malicious client can make dbus-daemon disconnect a system
service.
(fd.o #79694, fd.o #80469, CVE-2014-3533; Alejandro Martínez Suárez,
Simon McVittie, Alban Crequy)
Other fixes:
• When dbus-launch --exit-with-session starts a dbus-daemon but then cannot
attach to a session, kill the dbus-daemon as intended
(fd.o #74698, Роман Донченко)
accordingly.
(Is there any reason there isn't there a RUBY_VERSIONS_INCOMPATIBLE
variable like we have for python and lua and in other similar
situations?)
MASTER_SITES and add pypi to them. Use PREFIX instead of LOCALBASE in one
SUBST_CLASS instead of two. ${PKGMANDIR}/man3 is no longer used. Comment
patches and delint. From CHANGELOG:
1.6.3
Corrects a regression where handlers were run across all hosts, not just those that triggered the handler.
Fixed a bug in which modules did not support properly moving a file atomically when su was in use.
Fixed two bugs related to symlinks with directories when using the file module.
Fixed a bug related to MySQL master replication syntax.
Corrects a regression in the order of variable merging done by the internal runner code.
Various other minor bug fixes.
1.6.2
If an improper locale is specified, core modules will now automatically revert to using the 'C' locale.
Modules using the fetch_url utility will now obey proxy environment variables.
The SSL validation step in fetch_url will likewise obey proxy settings, however only proxies using the http protocol are supported.
Fixed multiple bugs in docker module related to version changes upstream.
Fixed a bug in the ec2_group module where egress rules were lost when a VPC was specified.
Fixed two bugs in the synchronize module:
a trailing slash might be lost when calculating relative paths, resulting in an incorrect destination.
the sync might use the inventory directory incorrectly instead of the playbook or role directory.
Files will now only be chown'd on an atomic move if the src/dest uid/gid do not match.
1.6.1
Fixed a bug in group_by, where systems were being grouped incorrectly.
Fixed a bug where file descriptors may leak to a child process when using accelerate.
Fixed a bug in apt_repository triggered when python-apt not being installed/available.
Fixed a bug in the apache2_module module, where modules were not being disabled correctly.
1.6
Major features/changes:
The deprecated legacy variable templating system has been finally removed. Use {{ foo }} always not $foo or ${foo}.
Any data file can also be JSON. Use sparingly -- with great power comes great responsibility. Starting file with "{" or "[" denotes JSON.
Added 'gathering' param for ansible.cfg to change the default gather_facts policy.
Accelerate improvements:
multiple users can connect with different keys, when accelerate_multi_key = yes is specified in the ansible.cfg.
daemon lifetime is now based on the time from the last activity, not the time from the daemon's launch.
ansible-playbook now accepts --force-handlers to run handlers even if tasks result in failures.
Added VMWare support with the vsphere_guest module.
New Modules:
files: replace
packaging: cpanm (Perl)
packaging: portage
packaging: composer (PHP)
packaging: homebrew_tap (OS X)
packaging: homebrew_cask (OS X)
packaging: apt_rpm
packaging: layman
monitoring: logentries
monitoring: rollbar_deployment
monitoring: librato_annotation
notification: nexmo (SMS)
notification: twilio (SMS)
notification: slack (Slack.com)
notification: typetalk (Typetalk.in)
notification: sns (Amazon)
system: debconf
system: ufw
system: locale_gen
system: alternatives
system: capabilities
net_infrastructure: bigip_facts
net_infrastructure: dnssimple
net_infrastructure: lldp
web_infrastructure: apache2_module
cloud: digital_ocean_domain
cloud: digital_ocean_sshkey
cloud: rax_identity
cloud: rax_cbs (cloud block storage)
cloud: rax_cbs_attachments
cloud: ec2_asg (configure autoscaling groups)
cloud: ec2_scaling_policy
cloud: ec2_metric_alarm
cloud: vsphere_guest
Other notable changes:
example callback plugin added for hipchat
added example inventory plugin for vcenter/vsphere
added example inventory plugin for doing really trivial inventory from SSH config files
libvirt module now supports destroyed and paused as states
s3 module can specify metadata
security token additions to ec2 modules
setup module code moved into module_utils/, facts now accessible by other modules
synchronize module sets relative dirs based on inventory or role path
misc bugfixes and other parameters
the ec2_key module now has wait/wait_timeout parameters
added version_compare filter (see docs)
added ability for module documentation YAML to utilize shared module snippets for common args
apt module now accepts "deb" parameter to install local dpkg files
regex_replace filter plugin added
added an inventory script for Docker
added an inventory script for Abiquo
the get_url module now accepts url_username and url_password as parameters, so sites which require authentication no longer need to have them embedded in the url
... to be filled in from changelogs ...
1.5.5
Security fix for vault, to ensure the umask is set to a restrictive mode before creating/editing vault files.
Backported apt_repository security fixes relating to filename/mode upon sources list file creation.
1.5.4
Security fix for safe_eval, which further hardens the checking of the evaluation function.
Changing order of variable precendence for system facts, to ensure that inventory variables take precedence over any facts that may be set on a host.
1.5.3
Fix validate_certs and run_command errors from previous release
Fixes to the git module related to host key checking
1.5.2
Fix module errors in airbrake and apt from previous release
1.5.1
Force command action to not be executed by the shell unless specifically enabled.
Validate SSL certs accessed through urllib*.
Implement new default cipher class AES256 in ansible-vault.
Misc bug fixes.
1.5
Major features/changes:
when_foo which was previously deprecated is now removed, use "when:" instead. Code generates appropriate error suggestion.
include + with_items which was previously deprecated is now removed, ditto. Use with_nested / with_together, etc.
only_if, which is much older than when_foo and was deprecated, is similarly removed.
ssh connection plugin is now more efficient if you add 'pipelining=True' in ansible.cfg under [ssh_connection], see example.cfg
localhost/127.0.0.1 is not required to be in inventory if referenced, if not in inventory, it does not implicitly appear in the 'all' group.
git module has new parameters (accept_hostkey, key_file, ssh_opts) to ease the usage of git and ssh protocols.
when using accelerate mode, the daemon will now be restarted when specifying a different remote_user between plays.
added no_log: option for tasks. When used, no logging information will be sent to syslog during the module execution.
acl module now handles 'default' and allows for either shorthand entry or specific fields per entry section
play_hosts is a new magic variable to provide a list of hosts in scope for the current play.
ec2 module now accepts 'exact_count' and 'count_tag' as a way to enforce a running number of nodes by tags.
all ec2 modules that work with Eucalyptus also now support a 'validate_certs' option, which can be set to 'off' for installations using self-signed certs.
Start of new integration test infrastructure (WIP, more details TBD)
if repoquery is unavailble, the yum module will automatically attempt to install yum-utils
ansible-vault: a framework for encrypting your playbooks and variable files
added support for privilege escalation via 'su' into bin/ansible and bin/ansible-playbook and associated keywords 'su', 'su_user', 'su_pass' for tasks/plays
New modules:
cloud: ec2_elb_lb
cloud: ec2_key
cloud: ec2_snapshot
cloud: rax_dns
cloud: rax_dns_record
cloud: rax_files
cloud: rax_files_objects
cloud: rax_keypair
cloud: rax_queue
cloud: docker_image
messaging: rabbitmq_policy
system: at
utilities: assert
Other notable changes (many new module params & bugfixes may not not listed):
no_reboot is now defaulted to "no" in the ec2_ami module to ensure filesystem consistency in the resulting AMI.
sysctl module overhauled
authorized_key module overhauled
synchronized module now handles local transport better
apt_key module now ignores case on keys
zypper_repository now skips on check mode
file module now responds to force behavior when dealing with hardlinks
new lookup plugin 'csvfile'
fixes to allow hash_merge behavior to work with dynamic inventory
mysql module will use port argument on dump/import
subversion module now ignores locale to better intercept status messages
rax api_key argument is no longer logged
backwards/forwards compatibility for OpenStack modules, 'quantum' modules grok neutron renaming
hosts properly uniqueified if appearing in redundant groups
hostname module support added for ScientificLinux
ansible-pull can now show live stdout and pass verbosity levels to ansible-playbook
ec2 instances can now be stopped or started
additional volumes can be created when creating new ec2 instances
user module can move a home directory
significant enhancement and cleanup of rackspace modules
ansible_ssh_private_key_file can be templated
docker module updated to support docker-py 0.3.0
various other bug fixes
md5 logic improved during sudo operation
support for ed25519 keys in authorized_key module
ability to set directory permissions during a recursive copy (directory_mode parameter)
1.4.5
fixed issue with permissions being incorrect on fireball/accelerate keys when the umask setting was too loose.
1.4.4
fixed a minor issue with newer versions of pip dropping the "use-mirrors" parameter.
Upstream changes:
-----------------
1.9.0 2014-06-08
[Bug] #965: Tweak IO flushing behavior when in linewise
(& thus parallel) mode so interwoven output is less frequent.
Thanks to @akidata for catch & patch.
[Feature] #741: Add env.prompts dictionary, allowing users to set
up custom prompt responses (similar to the built-in sudo prompt
auto-responder.) Thanks to Nigel Owens and David Halter for the patch.
[Feature] #1082: Add pty passthrough kwarg to upload_template.
[Support]: Modified packaging data to reflect that Fabric requires
Paramiko < 1.13 (which dropped Python 2.5 support.)
[Support] #1105: Enhance setup.py to allow Paramiko 1.13+ under
Python 2.6+. Thanks to to @Arfrever for catch & patch.
[Support] #1106: Fix a misleading/ambiguous example snippet in the fab
usage docs to be clearer. Thanks to @zed.
[Feature] #1101: Reboot operation now supports custom command.
Thanks to Jonas Lejon.
[Feature] #938: Add an env var env.effective_roles specifying roles used
in the currently executing command. Thanks to Piotr Betkier for the patch.
[Feature] #1078: Add .command and .real_command attributes to local
return value.
Thanks to Alexander Teves (@alexanderteves) and Konrad Hałas (@konradhalas).
1.8.4 2014-06-08
[Support] #1105: Enhance setup.py to allow Paramiko 1.13+ under Python
2.6+. Thanks to to @Arfrever for catch & patch.
[Bug] #898: Treat paths that begin with tilde “~”
as absolute paths instead of relative.
Thanks to Alex Plugaru for the patch and Dan Craig for the suggestion.
1.8.3 2014-03-21
[Support]: Modified packaging data to reflect that Fabric requires
Paramiko < 1.13 (which dropped Python 2.5 support.)
D-Bus 1.8.4 (2014-06-10)
==
Security fix:
• Alban Crequy at Collabora Ltd. discovered and fixed a denial-of-service
flaw in dbus-daemon, part of the reference implementation of D-Bus.
Additionally, in highly unusual environments the same flaw could lead to
a side channel between processes that should not be able to communicate.
(CVE-2014-3477, fd.o #78979)
The change log runs to 850 lines, but a short summary includes a fix for
LSN-2014-0003: Don't expand entities when parsing XML (Daniel P. Berrange)
(which I think is also CVE-2014-0179), new features, bug fixes, and
portability improvements.
This makes the package more useful for users of binary packages, who
can then burn a bootable memtest CD, and only costs 1.8 MB without
adding any run-time dependencies. Source users get a dependency on
cdrtools, but that's likely already installed, and the option can
easily be turned off in that case (unlike binary package users, who
can't change options).
Chef is a configuration management tool. It uses a pure-Ruby,
domain-specific language (DSL) for writing system configuration
"recipes". Chef is used to streamline the task of configuring and
maintaining a company's servers, and can integrate with cloud-based
platforms such as Rackspace, Amazon EC2, and Microsoft Azure to
automatically provision and configure new machines.
Chef Zero is a simple, easy-install, in-memory Chef server that can be
useful for Chef Client testing and chef-solo-like tasks that require a
full Chef Server. It IS intended to be simple, Chef 11 compliant, easy
to run and fast to start. It is NOT intended to be secure, scalable,
performant or persistent. It does NO input validation, authentication
or authorization (it will not throw a 400, 401 or 403). It does not
save data, and will start up empty each time you start it.
Because Chef Zero runs in memory, it's super fast and lightweight.
This makes it perfect for testing against a "real" Chef Server without
mocking the entire Internet.
This module uses ctypes to access the libmagic file type identification
library. It makes use of the local magic database and supports both textual and
MIME-type output.
