mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-24 05:40:23 -07:00
Remove the params module option from ldap_attr and ldap_entry (#113)
* Remove the params module option from ldap_attr and ldap_entry Module options that circumvent Ansible's option handling were disallowed in: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Additionally, this particular usage can be insecure if bind_pw is set this way as the password could end up in a logfile or displayed on stdout. Fixes CVE-2020-1746 * Remove checking the version of Ansible Fix fail_json * Apply suggestions from code review Co-Authored-By: Felix Fontein <felix@fontein.de> Co-authored-by: Toshio Kuratomi <a.badger@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
645fe91fa3
commit
11ef03e9dd
5 changed files with 31 additions and 27 deletions
8
changelogs/fragments/ldap-params-removal.yml
Normal file
8
changelogs/fragments/ldap-params-removal.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
removed_features:
|
||||
- "ldap_attr, ldap_entry - The ``params`` option has been removed in
|
||||
Ansible-2.10 as it circumvents Ansible's option handling. Setting
|
||||
``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8,
|
||||
and 2.9 as it was insecure. For information about this policy, see the
|
||||
discussion at:
|
||||
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
|
||||
This fixes CVE-2020-1746"
|
Loading…
Add table
Add a link
Reference in a new issue