Security update for ansible (moderate)

2019-02-2300:00:00

lists.opensuse.org

257

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.025 Low

EPSS

Percentile

89.0%

JSON

An update that fixes 6 vulnerabilities is now available.

Description:

This update for ansible fixes the following issues:

Security vulnerabilities fixed:

CVE-2018-16876: Respect no_log on retry and high verbosity (bsc#1118896)
CVE-2018-16859: Windows - prevent sensitive content from appearing in
scriptblock logging (bsc#1116587)
CVE-2018-10855: Fixed the honouration of the no_log option with failed
task iterations (boo#1097775)
CVE-2017-7466: Fixed an input validation vulnerability in Ansible’s
handling
of data sent from client systems
CVE-2017-7481: Fixed a security issue with lookup return not tainting
the jinja2 environment (bsc#1038785)

Other bug fixes and changes:

Update to version 2.7.6
- Added log message at -vvvv when using netconf connection listing
  connection details.
- Changes how ansible-connection names socket lock files. They now use
  the same name as the socket itself, and as such do not lock other
  attempts on connections to the same host, or cause issues with
  overly-long hostnames.
- Fix mandatory statement error for junos modules
  (https://github.com/ansible/ansible/pull/50138)
- Moved error in netconf connection plugin from at import to on
  connection.
- This reverts some changes from commit 723daf3. If a line is found in
  the file, exactly or via regexp matching, it must not be added again.
  insertafter/insertbefore options are used only when a line is to be
  inserted, to specify where it must be added.
- allow using openstack inventory plugin w/o a cache
- callbacks - Do not filter out exception, warnings, deprecations on
  failure when using debug
  (https://github.com/ansible/ansible/issues/47576)
- certificate_complete_chain - fix behavior when invalid file is parsed
  while reading intermediate or root certificates.
- copy - Ensure that the src file contents is converted to unicode in
  diff information so that it is properly wrapped by AnsibleUnsafeText
  to prevent unexpected templating of diff data in Python3
  (https://github.com/ansible/ansible/issues/45717)
- correct behaviour of verify_file for vmware inventory plugin, it was
  always returning True
- dnf - fix issue where conf_file was not being loaded properly
- dnf - fix update_cache combined with install operation to not cause
  dnf transaction failure
- docker_container - fix network_mode idempotency if the
  container:<container-name> form is used (as opposed to
  container:<container-id>)
  (https://github.com/ansible/ansible/issues/49794)
- docker_container - warning when non-string env values are found,
  avoiding YAML parsing issues. Will be made an error in Ansible 2.8.
  (https://github.com/ansible/ansible/issues/49802)
- docker_swarm_service - Document labels and container_labels with
  correct type.
- docker_swarm_service - Document limit_memory and reserve_memory
  correctly on how to specify sizes.
- docker_swarm_service - Document minimal API version for configs and
  secrets.
- docker_swarm_service - fix use of Docker API so that services are not
  detected as present if there is an existing service whose name is a
  substring of the desired service
- docker_swarm_service - fixing falsely reporting update_order as
  changed when option is not used.
- document old option that was initally missed
- ec2_instance now respects check mode
  https://github.com/ansible/ansible/pull/46774
- fix for network_cli - ansible_command_timeout not working as expected
  (#49466)
- fix handling of firewalld port if protocol is missing
- fix lastpass lookup failure on python 3
  (https://github.com/ansible/ansible/issues/42062)
- flatpak - Fixed Python 2/3 compatibility
- flatpak - Fixed issue where newer versions of flatpak failed on
  flatpak removal
- flatpak_remote - Fixed Python 2/3 compatibility
- gcp_compute_instance - fix crash when the instance metadata is not set
- grafana_dashboard - Fix a pair of unicode string handling issues with
  version checking (https://github.com/ansible/ansible/pull/49194)
- host execution order - Fix reverse_inventory not to change the order
  of the items before reversing on python2 and to not backtrace on
  python3
- icinga2_host - fixed the issue with not working use_proxy option of
  the module.
- influxdb_user - An unspecified password now sets the password to
  blank, except on existing users. This previously caused an unhandled
  exception.
- influxdb_user - Fixed unhandled exception when using invalid login
  credentials (https://github.com/ansible/ansible/issues/50131)
- openssl_* - fix error when path contains a file name without path.
- openssl_csr - fix problem with idempotency of keyUsage option.
- openssl_pkcs12 - now does proper path expansion for ca_certificates.
- os_security_group_rule - os_security_group_rule doesn’t exit properly
  when secgroup doesn’t exist and state=absent
  (https://github.com/ansible/ansible/issues/50057)
- paramiko_ssh - add auth_timeout parameter to ssh.connect when
  supported by installed paramiko version. This will prevent
  “Authentication timeout” errors when a slow authentication step (>30s)
  happens with a host (https://github.com/ansible/ansible/issues/42596)
- purefa_facts and purefb_facts now correctly adds facts into main
  ansible_fact dictionary (https://github.com/ansible/ansible/pull/50349)
- reboot - add appropriate commands to make the plugin work with VMware
  ESXi (https://github.com/ansible/ansible/issues/48425)
- reboot - add support for rebooting AIX
  (https://github.com/ansible/ansible/issues/49712)
- reboot - gather distribution information in order to support Alpine
  and other distributions
  (https://github.com/ansible/ansible/issues/46723)
- reboot - search common paths for the shutdown command and use the full
  path to the binary rather than depending on the PATH of the remote
  system (https://github.com/ansible/ansible/issues/47131)
- reboot - use a common set of commands for older and newer Solaris and
  SunOS variants (https://github.com/ansible/ansible/pull/48986)
- redfish_utils - fix reference to local variable ‘systems_service’
- setup - fix the rounding of the ansible_memtotal_mb value on VMWare
  vm’s (https://github.com/ansible/ansible/issues/49608)
- vultr_server - fixed multiple ssh keys were not handled.
- win_copy - Fix copy of a dir that contains an empty directory -
  https://github.com/ansible/ansible/issues/50077
- win_firewall_rule - Remove invalid ‘bypass’ action
- win_lineinfile - Fix issue where a malformed json block was returned
  causing an error
- win_updates - Correctly report changes on success
update to version 2.7.5
- ACME modules: improve error messages in some cases (include error
  returned by server).
- Added unit test for VMware module_utils.
- Also check stdout for interpreter errors for more intelligent messages
  to user
- Backported support for Devuan-based distribution
- Convert hostvars data in OpenShift inventory plugin to be serializable
  by ansible-inventory
- Fix AttributeError (Python 3 only) when an exception occurs while
  rendering a template
- Fix N3K power supply facts
  (https://github.com/ansible/ansible/pull/49150).
- Fix NameError nxos_facts
  (https://github.com/ansible/ansible/pull/48981).
- Fix VMware module utils for self usage.
- Fix error in OpenShift inventory plugin when a pod has errored and is
  empty
- Fix if the route table changed to none
  (https://github.com/ansible/ansible/pull/49533)
- Fix iosxr netconf plugin response namespace
  (https://github.com/ansible/ansible/pull/49300)
- Fix issues with nxos_install_os module for nxapi
  (https://github.com/ansible/ansible/pull/48811).
- Fix lldp and cdp neighbors information
  (https://github.com/ansible/ansible/pull/48318)(https://github.com/ansible/
  ansible/pull/48087)(https://github.com/ansible/ansible/pull/49024).
- Fix nxos_interface and nxos_linkagg Idempotence issue
  (https://github.com/ansible/ansible/pull/46437).
- Fix traceback when updating facts and the fact cache plugin was
  nonfunctional
- Fix using vault encrypted data with jinja2_native
  (https://github.com/ansible/ansible/issues/48950)
- Fixed: Make sure that the files excluded when extracting the archive
  are not checked. https://github.com/ansible/ansible/pull/45122
- Fixes issue where a password parameter was not set to no_log
- aci_rest - Fix issue ignoring custom port
- acme_account, acme_account_facts - in some cases, it could happen that
  the modules return information on disabled accounts accidentally
  returned by the ACME server.
- docker_swarm - decreased minimal required API version from 1.35 to
  1.25; some features require API version 1.30 though.
- docker_swarm_service: fails because of default “user: root”
  (https://github.com/ansible/ansible/issues/49199)
- ec2_metadata_facts - Parse IAM role name from the security credential
  field since the instance profile name is different
- fix azure_rm_image module use positional parameter
  (https://github.com/ansible/ansible/pull/49394)
- fixes an issue with dict_merge in network utils
  (https://github.com/ansible/ansible/pull/49474)
- gcp_utils - fix google auth scoping issue with application default
  credentials or google cloud engine credentials. Only scope credentials
  that can be scoped.
- mail - fix python 2.7 regression
- openstack - fix parameter handling when cloud provided as dict
  https://github.com/ansible/ansible/issues/42858
- os_user - Include domain parameter in user deletion
  https://github.com/ansible/ansible/issues/42901
- os_user - Include domain parameter in user lookup
  https://github.com/ansible/ansible/issues/42901
- ovirt_storage_connection - comparing passwords breaks idempotency in
  update_check (https://github.com/ansible/ansible/issues/48933)
- paramiko_ssh - improve log message to state the connection type
- reboot - use IndexError instead of TypeError in exception
- redis cache - Support version 3 of the redis python library
  (https://github.com/ansible/ansible/issues/49341)
- sensu_silence - Cast int for expire field to avoid call failure to
  sensu API.
- vmware_host_service_facts - handle exception when service package does
  not have package name.
- win_nssm - Switched to Argv-ToString for escaping NSSM credentials
  (https://github.com/ansible/ansible/issues/48728)
- zabbix_hostmacro - Added missing validate_certs logic for running
  module against Zabbix servers with untrused SSL certificates
  (https://github.com/ansible/ansible/issues/47611)
- zabbix_hostmacro - Fixed support for user macros with context
  (https://github.com/ansible/ansible/issues/46953)
update to version 2.7.4
- powershell - add lib/ansible/executor/powershell to the packaging data
update to version 2.7.3
- Fix the issue that FTD HTTP API retries authentication-related HTTP
  requests
- Fix the issue that module fails when the Swagger model does not have
  required fields
- Fix the issue with comparing string-like objects
- Fix using omit on play keywords
- apt_key - Disable TTY requirement in GnuPG for the module to work
  correctly when SSH pipelining is enabled
- better error message when bad type in config, deal with EVNAR= more
  gracefully
- configuration retrieval would fail on non primed plugins
- cs_template - Fixed a KeyError on state=extracted
- docker_container - fix idempotency problems with docker-py caused by
  previous init idempotency fix
- docker_container - fix interplay of docker-py version check with
  argument_spec validation improvements
- docker_network - driver_options containing Python booleans would cause
  Docker to throw exceptions
- ec2_group - Fix comparison of determining which rules to purge by
  ignoring descriptions
- pip module - fix setuptools/distutils replacement
- sysvinit - enabling a service should use “defaults” if no runlevels
  are specified
update to version 2.7.2
- Minor changes
update to 2.7.1
- Minor changes
update to 2.7.0
- Allow config to enable native jinja types
- Remove support for simplejson
- yum and dnf modules now at feature parity
- Security Fix - avoid loading host/group vars from cwd when not
  specifying a playbook or playbook base dir
- Security Fix - avoid using ansible.cfg in a world writable dir
- Some connection exception would cause no_log specified on a task to be
  ignored (stdout info disclosure)
- Fix glob path of rc.d (SUSE-specific)
- Fix lambda_policy updates
- Fix alt linux detection/matching
update to 2.6.4
- Add md5sum check in nxos_file_copy module
- Allow arbitrary log_driver for docker_container
- Fix Python2.6 regex bug terminal plugin nxos, iosxr
- Fix check_mode in nxos_static_route module
- Fix glob path of rc.d Some distribtuions like SUSE has the rc%.d
  directories under /etc/init.d
- Fix network config diff issue for lines
- Fixed an issue where ansible_facts.pkg_mgr would incorrectly set to
  zypper on Debian/Ubuntu systems that happened to have the command
  installed
- The docker_* modules respect the DOCKER_* environment variables again
- The fix for CVE-2018-10875 prints out a warning message about skipping
  a config file from a world writable current working directory.
  However, if the user is in a world writable current working directory
  which does not contain a config file, it should not print a warning
  message. This release fixes that extaneous warning.
- To resolve nios_network issue where vendor-encapsulated-options can
  not have a use_option flag.
- To resolve the issue of handling exception for Nios lookup gracefully.
- always correctly template no log for tasks
- ansible-galaxy - properly list all roles in roles_path
- basic.py - catch ValueError in case a FIPS enabled platform raises
  this exception
- docker_container: fixing working_dir idempotency problem
- docker_container: makes unit parsing for memory sizes more consistent,
  and fixes idempotency problem when kernel_memory is set
- fix example code for AWS lightsail documentation
- fix the enable_snat parameter that is only supposed to be used by an
  user with the right policies.
- fixes docker_container check and debug mode
- improves docker_container idempotency
- ios_l2_interface - fix bug when list of vlans ends with comma
- ios_l2_interface - fix issue with certain interface types
- ios_user - fix unable to delete user admin issue
- ios_vlan - fix unable to work on certain interface types issue
- nxos_facts test lldp feature and fix nxapi check_rc
- nxos_interface port-channel idempotence fix for mode
- nxos_linkagg mode fix
- nxos_system idempotence fix
- nxos_vlan refactor to support non structured output
- one_host - fixes settings via environment variables
- use retry_json nxos_banner
- user - Strip trailing comments in /etc/default/passwd
- user - when creating a new user without an expiration date, properly
  set no expiration rather that expirining the account
- win_domain_computer - fixed deletion of computer active directory
  object that have dependent objects
- win_domain_computer - fixed error in diff_support
- win_domain_computer - fixed error when description parameter is empty
- win_psexec - changed code to not escape the command option when
  building the args
- win_uri – Fix support for JSON output when charset is set
- win_wait_for - fix issue where timeout doesn’t wait unless
  state=drained
update to 2.6.3
- Fix lxd module to be idempotent when the given configuration for the
  lxd container has not changed
- Fix setting value type to str to avoid conversion during template
  read. Fix Idempotency in case of ‘no key’.
- Fix the mount module’s handling of swap entries in fstab
- The fix for (CVE-2018-10875) prints out a warning message about
  skipping a config file from a world writable current working
  directory. However, if the user explicitly specifies that the config
  file should be used via the ANSIBLE_CONFIG environment variable then
  Ansible would honor that but still print out the warning message. This
  has been fixed so that Ansible honors the user’s explicit wishes and
  does not print a warning message in that circumstance.
- To fix the bug where existing host_record was deleted when existing
  record name is used with different IP.
- VMware handle pnic in proxyswitch
- fix azure security group cannot add rules when purge_rule set to false.
- fix azure_rm_deployment collect tags from existing Resource Group.
- fix azure_rm_loadbalancer_facts list takes at least 2 arguments.
- fix for the bundled selectors module (used in the ssh and local
  connection plugins) when a syscall is restarted after being
  interrupted by a signal
- get_url - fix the bug that get_url does not change mode when checksum
  matches
- nicer error when multiprocessing breaks
- openssl_certificate - Convert valid_date to bytes for conversion
- openstack_inventory.py dynamic inventory file fixed the plugin to the
  script so that it will work with current ansible-inventory. Also
  redirect stdout before dumping the ouptput, because not doing so will
  cause JSON parse errors in some cases.
- slack callback - Fix invocation by looking up data from cli.options
- sysvinit module: handle values of optional parameters. Don’t disable
  service when enabled parameter isn’t set. Fix command when arguments
  parameter isn’t set.
- vars_prompt - properly template play level variables in vars_prompt
- win_domain - ensure the Netlogon service is up and running after
  promoting host to controller
- win_domain_controller - ensure the Netlogon service is up and running
  after promoting host to controller
update to 2.6.2
- Add text output along with structured output in nxos_facts
- Allow more than one page of results by using the right pagination
  indicator (‘NextMarker’ instead of ‘NextToken’).
- Fix an atomic_move error that is ‘true’, but misleading. Now we show
  all 3 files involved and clarify what happened.
- Fix eos_l2_interface eapi.
- Fix fetching old style facts in junos_facts module
- Fix get_device_info nxos zero or more whitespace regex
- Fix nxos CI failures
- Fix nxos_nxapi default http behavior
- Fix nxos_vxlan_vtep_vni
- Fix regex network_os_platform nxos
- Refactor nxos cliconf get_device_info for non structured
  output supported devices
- To fix the NoneType error raised in ios_l2_interface when Access Mode
  VLAN is unassigned
- emtpy host/group name is an error
- fix default SSL version for docker modules
- fix mail module when using starttls
- fix nmap config example
- fix ps detection of service
- fix the remote tmp folder permissions issue when becoming a non admin
  user
- fix typoe in sysvinit that breaks update.rc-d detection
- fixes docker_container compatibilty with docker-py < 2.2
- get_capabilities in nxapi module_utils should not return empty
  dictionary
- inventory - When using an inventory directory, ensure extension
  comparison uses text types
- ios_vlan - fix unable to identify correct vlans issue
- nxos_facts warning message improved
- openvswitch_db - make ‘key’ argument optional
- pause - do not set stdout to raw mode when redirecting to a file
- pause - nest try except when importing curses to gracefully fail if
  curses is not present
- plugins/inventory/openstack.py - Do not create group with empty name
  if region is not set
- preseve delegation info on nolog
- remove ambiguity when it comes to ‘the source’
- remove dupes from var precedence
- restores filtering out conflicting facts
- user - fix bug that resulted in module always reporting a change when
  specifiying the home directory on FreeBSD
- user - use correct attribute name in FreeBSD for creat_home
- vultr - Do not fail trying to load configuration from ini files if
  required variables have been set as environment variables.
- vyos_command correcting conditionals looping
- win_chocolatey - enable TLSv1.2 support when downloading the
  Chocolatey installer
- win_reboot - fix for handling an already scheduled reboot and other
  minor log formatting issues
- win_reboot - fix issue when overridding connection timeout hung the
  post reboot uptime check
- win_reboot - handle post reboots when running test_command
- win_security_policy - allows an empty string to reset a policy value
- win_share - discard any cmdlet output we don’t use to ensure only the
  return json is received by Ansible
- win_unzip - discard any cmdlet output we don’t use to ensure only the
  return json is received by Ansible
- win_updates - fixed module return value is lost in error in some cases
- win_user - Use LogonUser to validate the password as it does not rely
  on SMB/RPC to be available
- Security Fix - avoid loading host/group vars from cwd when not
  specifying a playbook or playbook base dir
- Security Fix - avoid using ansible.cfg in a world writable dir.
- Fix junos_config confirm commit timeout issue
  (https://github.com/ansible/ansible/pull/41527)
- file module - The touch subcommand had its diff output broken during
  the 2.6.x development cycle. This is now fixed.
- inventory manager - This fixes required options being populated before
  the inventory config file is read, so the required options may be set
  in the config file.
- nsupdate - allow hmac-sha384
  https://github.com/ansible/ansible/pull/42209
- win_domain - fixes typo in one of the AD cmdlets
  https://github.com/ansible/ansible/issues/41536
- win_group_membership - uses the internal Ansible SID conversion logic
  and uses that when comparing group membership instead of the name
use fdupes to save some space in python_sitelib
define BuildRoot on older distributions like SLE-11
be a bit more flexible with the ending of manpage files to allow Fedora
builds to succeed
updated to latest release 2.6.0
New Plugins:
- Callback:
  - cgroup_memory_recap
  - grafana_annotations
  - sumologic
- Connection:
  - httpapi
- Inventory:
  - foreman
  - gcp_compute
  - generator
  - nmap
- Lookup:
  - onepassword
  - onepassword_raw
Modules updates too many to mention here please look at package
documentation directory (/usr/share/doc/packages/…/changelogs)
bug fixes:
- Security Fix - Some connection exceptions would cause no_log
  specified on a task to be ignored. If this happened, the task
  information, including any private information coul d have been
  displayed to stdout and (if enabled, not the default) logged to a log
  file specified in ansible.cfg’s log_path. Additionally, sites which
  redirected stdout from ansible runs to a log file may have stored that
  private information onto disk that way as well.
  (https://github.com/ansible/ansible/pull/41414)
- Changed the admin_users config option to not include “admin” by
  default as admin is frequently used for a non-privileged account
  (https://github.com/ansible/ansible/pull/41164)
- Changed the output to “text” for “show vrf” command as default “json”
  output format with respect to “eapi” transport was failing
  (https://github.com/ansible/ansible/pull/41470)
- Document mode=preserve for both the copy and template module
- Fix added for Digital Ocean Volumes API change causing Ansible to
  recieve an unexpected value in the response.
  (https://github.com/ansible/ansible/pull/41431)
- Fix an encoding issue when parsing the examples from a plugins’
  documentation
- Fix iosxr_config module to handle route-policy, community-set,
  prefix-set, as-path-set and rd-set blocks. All these blocks are part
  of route-policy language of iosxr.
- Fix mode=preserve with remote_src=True for the copy module
- Implement mode=preserve for the template module
- The yaml callback plugin now allows non-ascii characters to be
  displayed.
- Various grafana_* modules - Port away from the deprecated
  b64encodestring function to the b64encode function instead.
  https://github.com/ansible/ansible/pull/38388
- added missing ‘raise’ to exception definition
  https://github.com/ansible/ansible/pull/41690
- allow custom endpoints to be used in the aws_s3 module
  (https://github.com/ansible/ansible/pull/36832)
- allow set_options to be called multiple times
  https://github.com/ansible/ansible/pull/41913
- ansible-doc - fixed traceback on missing plugins
  (https://github.com/ansible/ansible/pull/41167)
- cast the device_mapping volume size to an int in the ec2_ami module
  (https://github.com/ansible/ansible/pull/40938)
- copy - fixed copy to only follow symlinks for files in the
  non-recursive case
- copy module - The copy module was attempting to change the mode of
  files for remote_src=True even if mode was not set as a parameter.
  This failed on filesystems which do not have permission bits
  (https://github.com/ansible/ansible/pull/40099)
- copy module - fixed recursive copy with relative paths
  (https://github.com/ansible/ansible/pull/40166)
- correct debug display for all cases
  https://github.com/ansible/ansible/pull/41331
- correctly check hostvars for vars term
  https://github.com/ansible/ansible/pull/41819
- correctly handle yaml inventory files when entries are null dicts
  https://github.com/ansible/ansible/issues/41692
- dynamic includes - Allow inheriting attributes from static parents
  (https://github.com/ansible/ansible/pull/38827)
- dynamic includes - Don’t treat undefined vars for conditional includes
  as truthy (https://github.com/ansible/ansible/pull/39377)
- dynamic includes - Fix IncludedFile comparison for free strategy
  (https://github.com/ansible/ansible/pull/37083)
- dynamic includes - Improved performance by fixing re-parenting on copy
  (https://github.com/ansible/ansible/pull/38747)
- dynamic includes - Use the copied and merged task for calculating task
  vars (https://github.com/ansible/ansible/pull/39762)
- file - fixed the default follow behaviour of file to be true
- file module - Eliminate an error if we’re asked to remove a file but
  something removes it while we are processing the request
  (https://github.com/ansible/ansible/pull/39466)
- file module - Fix error when recursively assigning permissions and a
  symlink to a nonexistent file is present in the directory tree
  (https://github.com/ansible/ansible/issues/39456)
- file module - Fix error when running a task which assures a symlink to
  a nonexistent file exists for the second and subsequent times
  (https://github.com/ansible/ansible/issues/39558)
- file module - The file module allowed the user to specify src as a
  parameter when state was not link or hard. This is documented as only
  applying to state=link or state=hard but in previous Ansible, this
  could have an effect in rare cornercases. For instance, “ansible -m
  file -a ‘state=directory path=/tmp src=/var/lib’” would create
  /tmp/lib. This has been disabled and a warning emitted (will change
  to an error in Ansible-2.10).
- file module - The touch subcommand had its diff output broken during
  the 2.6.x development cycle. This is now fixed
  (https://github.com/ansible/ansible/issues/41755)
- fix BotoCoreError exception handling
- fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/41530)
- fix async for the aws_s3 module by adding async support to the action
  plugin (https://github.com/ansible/ansible/pull/40826)
- fix decrypting vault files for the aws_s3 module
  (https://github.com/ansible/ansible/pull/39634)
- fix errors with S3-compatible APIs if they cannot use ACLs for buckets
  or objects
- fix permission handling to try to download a file even if the user
  does not have permission to list all objects in the bucket
- fixed config required handling, specifically for _terms in lookups
  https://github.com/ansible/ansible/pull/41740
- gce_net - Fix sorting of allowed ports
  (https://github.com/ansible/ansible/pull/41567)
- group_by - support implicit localhost
  (https://github.com/ansible/ansible/pull/41860)
- import/include - Ensure role handlers have the proper parent, allowing
  for correct attribute inheritance
  (https://github.com/ansible/ansible/pull/39426)
- import_playbook - Pass vars applied to import_playbook into parsing of
  the playbook as they may be needed to parse the imported plays
  (https://github.com/ansible/ansible/pull/39521)
- include_role/import_role - Don’t overwrite included role handlers with
  play handlers on parse (https://github.com/ansible/ansible/pull/39563)
- include_role/import_role - Fix parameter templating
  (https://github.com/ansible/ansible/pull/36372)
- include_role/import_role - Use the computed role name for
  include_role/import_role so to diffentiate between names computed from
  host vars (https://github.com/ansible/ansible/pull/39516)-
  include_role/import_role - improved performance and recursion depth
  (https://github.com/ansible/ansible/pull/36470)
- lineinfile - fix insertbefore when used with BOF to not insert
  duplicate lines (https://github.com/ansible/ansible/issues/38219)
- password lookup - Do not load password lookup in network filters,
  allowing the password lookup to be overriden
  (https://github.com/ansible/ansible/pull/41907)
- pause - ensure ctrl+c interrupt works in all cases
  (https://github.com/ansible/ansible/issues/35372)
- powershell - use the tmpdir set by remote_tmp for become/async tasks
  instead of the generic $env:TEMP -
  https://github.com/ansible/ansible/pull/40210
- selinux - correct check mode behavior to report same changes as normal
  mode (https://github.com/ansible/ansible/pull/40721)
- spwd - With python 3.6 spwd.getspnam returns PermissionError instead
  of KeyError if user does not have privileges
  (https://github.com/ansible/ansible/issues/39472)
- synchronize - Ensure the local connection created by synchronize uses
  _remote_is_local=True, which causes ActionBase to build a local tmpdir
  (https://github.com/ansible/ansible/pull/40833)
- template - Fix for encoding issues when a template path contains
  non-ascii characters and using the template path in ansible_managed
  (https://github.com/ansible/ansible/issues/27262)
- template action plugin - fix the encoding of filenames to avoid
  tracebacks on Python2 when characters that are not present in the
  user’s locale are present.
  (https://github.com/ansible/ansible/pull/39424)
- user - only change the expiration time when necessary
  (https://github.com/ansible/ansible/issues/13235)
- uses correct conn info for reset_connection
  https://github.com/ansible/ansible/issues/27520
- win_environment - Fix for issue where the environment value was
  deleted when a null value or empty string was set -
  https://github.com/ansible/ansible/issues/40450
- win_file - fix issue where special chars like [ and ] were not being
  handled correctly https://github.com/ansible/ansible/pull/37901
- win_get_url - fixed a few bugs around authentication and force no when
  using an FTP URL
- win_iis_webapppool - redirect some module output to null so Ansible
  can read the output JSON
  https://github.com/ansible/ansible/issues/40874
- win_template - fix when specifying the dest option as a directory with
  and without the trailing slash
  https://github.com/ansible/ansible/issues/39886
- win_updates - Added the ability to run on a scheduled task for older
  hosts so async starts working again -
  https://github.com/ansible/ansible/issues/38364
- win_updates - Fix logic when using a whitelist for multiple updates
- win_updates - Fix typo that hid the download error when a download
  failed
- win_updates - Fixed issue where running win_updates on async fails
  without any error
- windows become - Show better error messages when the become process
  fails
- winrm - Add better error handling when the kinit process fails
- winrm - allow ansible_user or ansible_winrm_user to override
  ansible_ssh_user when both are defined in an inventory -
  https://github.com/ansible/ansible/issues/39844
- winrm - ensure pexpect is set to not echo the input on a failure and
  have a manual sanity check afterwards
  https://github.com/ansible/ansible/issues/41865
- winrm connection plugin - Fix exception messages sometimes raising a
  traceback when the winrm connection plugin encounters an unrecoverable
  error. https://github.com/ansible/ansible/pull/39333
- xenserver_facts - ensure module works with newer versions of XenServer
  (https://github.com/ansible/ansible/pull/35821)
use python3 on (open)SUSE 15 or newer
Update to 2.5.5
- Changed the admin_users config option to not include “admin” by
  default as admin is frequently used for a non-privileged account
- aws_s3 - add async support to the action plugin
- aws_s3 - fix decrypting vault files
- ec2_ami - cast the device_mapping volume size to an int
- eos_logging - fix idempotency issues
- cache plugins - A cache timeout of 0 means the cache will not expire.
- ios_logging - fix idempotency issues
- ios/nxos/eos_config - don’t retrieve config in running_config when
  config is provided for diff
- nxos_banner - fix multiline banner issue
- nxos terminal plugin - fix output truncation
- nxos_l3_interface - fix no switchport issue with loopback and svi
  interfaces
- nxos_snapshot - fix compare_option
update to 2.2.3.0 (boo#1056094)
- Various minor bug fixes

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-238=1

OSVersionArchitecturePackageVersionFilename
openSUSE Backports SLE15noarch<  openSUSE Backports SLE-15 (noarch):- openSUSE Backports SLE-15 (noarch):.noarch.rpm