This merge request has been superseded by Chore(deps): bump ansible from 9.1.0 to 9.4.0 (!147)
Bumps ansible from 9.1.0 to 9.3.0.
4ab3017
Ansible 9.3.0: Dependencies, changelog and porting guide (#375)8e65162
Remove purestorage.fusion from Ansible 10 (#374)4952ad8
Deprecate netapp.storagegrid (#372)15d5952
Generate changelog both as RST and MarkDown (#364)68bb47a
Bump actions/checkout from 3 to 4 (#368)5319f6a
Bump actions/setup-python from 4 to 5 (#371)05eb58b
docs release-process: use GH_USERNAME as a placeholder (#367)c87ec3a
Revert "infinidat.infinibox 1.4.0 is not tagged. (#365)" (#366)ecd20cb
infinidat.infinibox 1.4.0 is not tagged. (#365)51535ac
Initial (Github Actions) Workflows for Ansible Community Package release (#...Bumps ansible from 9.1.0 to 9.4.0.
43b27d9
Ansible 9.4.0: Dependencies, changelog and porting guide (#380)de505a1
cd ansible-release: include artifact URL in PR body (#377)db95db8
Bump actions/download-artifact from 3 to 4 (#370)2f08108
Bump actions/upload-artifact from 3 to 4 (#369)d212231
Hotfix the workdir in the Git tagging job of the PyPI publishing workflow4ab3017
Ansible 9.3.0: Dependencies, changelog and porting guide (#375)8e65162
Remove purestorage.fusion from Ansible 10 (#374)4952ad8
Deprecate netapp.storagegrid (#372)15d5952
Generate changelog both as RST and MarkDown (#364)68bb47a
Bump actions/checkout from 3 to 4 (#368)HIFIS Bot (9dea1fe8) at 28 Mar 05:40
HIFIS Bot (4b14eaa8) at 28 Mar 05:40
HIFIS Bot (03f7ff7e) at 28 Mar 05:40
Chore(deps): bump ansible from 9.1.0 to 9.4.0
HIFIS Bot (fd1be33f) at 26 Mar 05:42
Chore(deps): [security] bump cryptography from 42.0.2 to 42.0.4
... and 8 more commits
HIFIS Bot (9dea1fe8) at 26 Mar 05:40
Chore(deps): bump ansible from 9.1.0 to 9.3.0
... and 4 more commits
HIFIS Bot (50d617f4) at 25 Mar 12:44
Bumps ansible-core from 2.16.2 to 2.16.3. This update includes a security fix.
Ansible-core information disclosure flaw An information disclosure flaw was found in ansible-core due to a failure to respect the
ANSIBLE_NO_LOG
configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.Patched versions: 2.16.3 Affected versions: >= 2.16.0b1, < 2.16.3
Sourced from ansible-core's releases.
v2.16.3
Changelog
See the full changelog for the changes included in this release.
Release Artifacts
- Built Distribution: ansible_core-2.16.3-py3-none-any.whl - 2250322 bytes
- 50c9f33a5b2ee645470a77f4bf99cf35d1ffdefef60388910020b0c58534bec1 (SHA256)
- Source Distribution: ansible-core-2.16.3.tar.gz - 3168893 bytes
- 76a8765a8586064ef073a299562e308fa2c180a75b5f7569bbd0f61d4171cdb3 (SHA256)
v2.16.3rc1
Changelog
See the full changelog for the changes included in this release.
Release Artifacts
- Built Distribution: ansible_core-2.16.3rc1-py3-none-any.whl - 2250371 bytes
- c9d6702235eb708023105f4f4a5f9f2620503684cdc3115ed3e6e0b9b6930780 (SHA256)
- Source Distribution: ansible-core-2.16.3rc1.tar.gz - 3172729 bytes
- 0c4326d487dae339d0a991e89ff85117afb6507f79b45744e3c3451b6faef5f4 (SHA256)
df6c524
New release v2.16.3 (#82619)5bef147
Update Ansible release version to v2.16.3rc1.post0. (#82591)19e82ec
New release v2.16.3rc1 (#82587)d817f5e
Support action_plugin
in plugin_routing_schema (#82562) (#82581)611d0e4
Better errors for delegate_to (#82319)50736c4
lookups, make file searching use better is_role (#82290)c3b4b3e
Run all handlers with the same listen
topic when notified from another hand...cfa8caf
[stable-2.16] Role fixes (#82339) (#82452)46d9d4b
ansible-config dedupe ini plugin entries (#82498)9252584
ansible-galaxy - fix exit code for failed role import (#82193) (#82412)Hueser, Christian (4b14eaa8) at 25 Mar 12:44
Merge branch 'dependabot-pip-ansible-core-2.16.3' into 'main'
... and 1 more commit
Bumps ansible-core from 2.16.2 to 2.16.3. This update includes a security fix.
Ansible-core information disclosure flaw An information disclosure flaw was found in ansible-core due to a failure to respect the
ANSIBLE_NO_LOG
configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.Patched versions: 2.16.3 Affected versions: >= 2.16.0b1, < 2.16.3
Sourced from ansible-core's releases.
v2.16.3
Changelog
See the full changelog for the changes included in this release.
Release Artifacts
- Built Distribution: ansible_core-2.16.3-py3-none-any.whl - 2250322 bytes
- 50c9f33a5b2ee645470a77f4bf99cf35d1ffdefef60388910020b0c58534bec1 (SHA256)
- Source Distribution: ansible-core-2.16.3.tar.gz - 3168893 bytes
- 76a8765a8586064ef073a299562e308fa2c180a75b5f7569bbd0f61d4171cdb3 (SHA256)
v2.16.3rc1
Changelog
See the full changelog for the changes included in this release.
Release Artifacts
- Built Distribution: ansible_core-2.16.3rc1-py3-none-any.whl - 2250371 bytes
- c9d6702235eb708023105f4f4a5f9f2620503684cdc3115ed3e6e0b9b6930780 (SHA256)
- Source Distribution: ansible-core-2.16.3rc1.tar.gz - 3172729 bytes
- 0c4326d487dae339d0a991e89ff85117afb6507f79b45744e3c3451b6faef5f4 (SHA256)
df6c524
New release v2.16.3 (#82619)5bef147
Update Ansible release version to v2.16.3rc1.post0. (#82591)19e82ec
New release v2.16.3rc1 (#82587)d817f5e
Support action_plugin
in plugin_routing_schema (#82562) (#82581)611d0e4
Better errors for delegate_to (#82319)50736c4
lookups, make file searching use better is_role (#82290)c3b4b3e
Run all handlers with the same listen
topic when notified from another hand...cfa8caf
[stable-2.16] Role fixes (#82339) (#82452)46d9d4b
ansible-config dedupe ini plugin entries (#82498)9252584
ansible-galaxy - fix exit code for failed role import (#82193) (#82412)HIFIS Bot (7fefb5dd) at 25 Mar 06:18
Bumps aiohttp from 3.9.1 to 3.9.2. This update includes security fixes.
aiohttp is vulnerable to directory traversal
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
app.router.add_routes([ web.static("/static", "static/", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability ])
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinks
set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinks
parameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=True
outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.
... (truncated)
Patched versions: 3.9.2 Affected versions: >= 1.0.5, < 3.9.2
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)
lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)
).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token
.PoC
GET / HTTP/1ΓΆ1
GET / HTTP/1.π
GET/: HTTP/1.1
Content-Encoding?: chunked
Impact
Primarily concerns running an aiohttp server without llhttp:
... (truncated)
Patched versions: 3.9.2 Affected versions: < 3.9.2
Sourced from aiohttp's releases.
3.9.2
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub: #7978.
Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub: #8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub: #8014.
Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub: #8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub: #8074.
Improved validation of paths for static resources requests to the server -- by :user:
bdraco
.
... (truncated)
Sourced from aiohttp's changelog.
3.9.2 (2024-01-28)
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub: :issue:
7978
.Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub: :issue:
8012
.Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub: :issue:
8014
.Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub: :issue:
8021
.Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub: :issue:
8074
.
... (truncated)
24a6d64
Release v3.9.2 (#8082)9118a58
[PR #8079/1c335944 backport][3.9] Validate static paths (#8080)435ad46
[PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...d33bc21
Improve validation in HTTP parser (#8074) (#8078)0d945d1
[PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...3ec4fa1
[PR #8069/69bbe874 backport][3.9] 419d715
[PR #8066/cba34699 backport][3.9] a54dab3
[PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)437ac47
[PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver
...034e5e3
[PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...Hueser, Christian (738c0c33) at 25 Mar 06:18
Merge branch 'dependabot-pip-aiohttp-3.9.2' into 'main'
... and 1 more commit
Bumps aiohttp from 3.9.1 to 3.9.2. This update includes security fixes.
aiohttp is vulnerable to directory traversal
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
app.router.add_routes([ web.static("/static", "static/", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability ])
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinks
set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinks
parameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=True
outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.
... (truncated)
Patched versions: 3.9.2 Affected versions: >= 1.0.5, < 3.9.2
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)
lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)
).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token
.PoC
GET / HTTP/1ΓΆ1
GET / HTTP/1.π
GET/: HTTP/1.1
Content-Encoding?: chunked
Impact
Primarily concerns running an aiohttp server without llhttp:
... (truncated)
Patched versions: 3.9.2 Affected versions: < 3.9.2
Sourced from aiohttp's releases.
3.9.2
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub: #7978.
Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub: #8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub: #8014.
Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub: #8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub: #8074.
Improved validation of paths for static resources requests to the server -- by :user:
bdraco
.
... (truncated)
Sourced from aiohttp's changelog.
3.9.2 (2024-01-28)
Bug fixes
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub: :issue:
7978
.Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub: :issue:
8012
.Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub: :issue:
8014
.Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub: :issue:
8021
.Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected. Invalid header field names containing question mark or slash are now rejected. Such requests are incompatible with :rfc:
9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub: :issue:
8074
.
... (truncated)
24a6d64
Release v3.9.2 (#8082)9118a58
[PR #8079/1c335944 backport][3.9] Validate static paths (#8080)435ad46
[PR #3955/8960063e backport][3.9] Replace all tmpdir fixtures with tmp_path (...d33bc21
Improve validation in HTTP parser (#8074) (#8078)0d945d1
[PR #7916/822fbc74 backport][3.9] Add more information to contributing page (...3ec4fa1
[PR #8069/69bbe874 backport][3.9] 419d715
[PR #8066/cba34699 backport][3.9] a54dab3
[PR #8049/a379e634 backport][3.9] Set cause for ClientPayloadError (#8050)437ac47
[PR #7995/43a5bc50 backport][3.9] Fix examples of fallback_charset_resolver
...034e5e3
[PR #8042/4b91b530 backport][3.9] Tightening the runtime type check for ssl (...HIFIS Bot (64b54499) at 22 Mar 05:41
chore(deps-dev): bump ansible-lint from 6.22.1 to 24.2.1
... and 4 more commits
HIFIS Bot (3f1f16c5) at 22 Mar 05:41
chore(deps-dev): bump yamllint from 1.33.0 to 1.35.1
... and 4 more commits
HIFIS Bot (fdb6b1e3) at 22 Mar 05:40
chore(deps): bump ansible from 9.1.0 to 9.3.0
... and 4 more commits
HIFIS Bot (085676c3) at 21 Mar 09:34