Subject: [ansible-devel] New Ansible releases 2.8.6, 2.7.14, 2.6.20, and 2.9.0rc4


Hi all- we're happy to announce that the general release of Ansible
2.8.6, 2.7.14, 2.6.20, and a new prerelease of 2.9.0, 2.9.0rc4, are
now available!
How do you get it?
------------------

$ pip install ansible==2.8.6 --user
or
$ pip install ansible==2.7.14 --user
or
$ pip install ansible==2.6.20 --user
or
$ pip install ansible==2.9.0rc4 --user

The tar.gz of the releases can be found here:

* 2.8.6
  https://releases.ansible.com/ansible/ansible-2.8.6.tar.gz
  SHA256: 31203b27c9d61123e8c86b6eb5116a21859ed4f26d55a1a71eaf27bd92bce355
* 2.7.14
  https://releases.ansible.com/ansible/ansible-2.7.14.tar.gz
  SHA256: 6a52f43b5e4446aa04f3907a750010fbbf41eb050cb726065c6c877ed3a98d02
* 2.6.20
  https://releases.ansible.com/ansible/ansible-2.6.20.tar.gz
  SHA256: 16cfb99d7f321cec408afcd3ead538337ebc3247c7a77080e5cabb58054e2a0b
* 2.9.0rc4
  https://releases.ansible.com/ansible/ansible-2.9.0rc4.tar.gz
  SHA256: 563f21d7720efbf4def9820ca17790eed33b2c1aaaa6dacea99d28f8fe2e5237
What's new in 2.8.6, 2.7.14, 2.6.20, and 2.9.0rc4
-------------------------------------------------

These releases contain fixes for three CVEs:

* ansible: Incomplete fix for CVE-2019-10206 (CVE-2019-14856)
* ansible: sub parameters marked as no_log are not masked in certain failure
scenarios (CVE-2019-14858)
* ansible: secrets disclosed on logs when no_log enabled
(CVE-2019-14846)  [Note: This cve did not affect 2.9.0rc4 as Ansible
2.9 had changed the affected code as part of an unrelated cleanup]

Ansible-2.6.20 is only seeing security fixes at this point in its
lifecycle but 2.7.x, 2.8.x, and 2.9.x saw other bugfixes as well.
Please see the full changelogs for each release to see what's changed:

* 2.8.6
  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
* 2.7.14
  https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst
* 2.6.20
  https://github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELOG-v2.6.rst
* 2.9.0rc4
  https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
What's the schedule for future maintenance releases?
----------------------------------------------------

Ansible-2.6 and Ansible-2.7 are only updated as needed for security
and critical bugfixes respectively.

Ansible-2.8 will have one more scheduled release after Ansible-2.9.0
comes out. Since the Ansible-2.9.0 release date has slipped to the
31st of October, expect the Ansible-2.8.7 release in the beginning of
November.

Ansible-2.9.0 may have an rc5 next week if any bugs which deserve an
rc5 are discovered between now and then.  Otherwise, expect to see
Ansible-2.9.0 on October 31st!

Porting Help
------------

We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html to
help migrate your content to 2.9.

and

https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.8.html to
help migrate your content to 2.8.
If you discover any errors or if any of your working playbooks break when you
upgrade to 2.8.6, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Toshio Kuratomi

--