mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
11ef03e9dd
* Remove the params module option from ldap_attr and ldap_entry Module options that circumvent Ansible's option handling were disallowed in: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Additionally, this particular usage can be insecure if bind_pw is set this way as the password could end up in a logfile or displayed on stdout. Fixes CVE-2020-1746 * Remove checking the version of Ansible Fix fail_json * Apply suggestions from code review Co-Authored-By: Felix Fontein <felix@fontein.de> Co-authored-by: Toshio Kuratomi <a.badger@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de>
8 lines
471 B
YAML
8 lines
471 B
YAML
removed_features:
|
|
- "ldap_attr, ldap_entry - The ``params`` option has been removed in
|
|
Ansible-2.10 as it circumvents Ansible's option handling. Setting
|
|
``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8,
|
|
and 2.9 as it was insecure. For information about this policy, see the
|
|
discussion at:
|
|
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
|
|
This fixes CVE-2020-1746"
|