(cherry picked from commit 3753304d209f2fdc28f0b2ebf1e139eb3d8c22b1)
https://github.com/ansible/ansible/pull/63366
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,10 @@ |
0 |
+bugfixes: |
|
1 |
+ - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials |
|
2 |
+ in log files. inventory/aws_ec2.py, inventory/aws_rds.py, |
|
3 |
+ lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the |
|
4 |
+ boto3 library from the Ansible process. The boto3 library logs credentials at log level |
|
5 |
+ DEBUG. If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would |
|
6 |
+ set the global log level to DEBUG. This was inherited by boto and would then log boto |
|
7 |
+ credentials to the file specified by LOG_PATH. This did not affect aws ansible modules |
|
8 |
+ as those are executed in a separate process. This has been fixed by switching to log |
|
9 |
+ level INFO" |
... | ... |
@@ -60,7 +60,7 @@ logger = None |
60 | 60 |
if getattr(C, 'DEFAULT_LOG_PATH'): |
61 | 61 |
path = C.DEFAULT_LOG_PATH |
62 | 62 |
if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK): |
63 |
- logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s') |
|
63 |
+ logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s') |
|
64 | 64 |
mypid = str(os.getpid()) |
65 | 65 |
user = getpass.getuser() |
66 | 66 |
logger = logging.getLogger("p=%s u=%s | " % (mypid, user)) |