diff options
Diffstat (limited to 'collections-debian-merged/ansible_collections/community/crypto/changelogs/changelog.yaml')
| -rw-r--r-- | collections-debian-merged/ansible_collections/community/crypto/changelogs/changelog.yaml | 321 |
1 files changed, 321 insertions, 0 deletions
diff --git a/collections-debian-merged/ansible_collections/community/crypto/changelogs/changelog.yaml b/collections-debian-merged/ansible_collections/community/crypto/changelogs/changelog.yaml new file mode 100644 index 00000000..5f532287 --- /dev/null +++ b/collections-debian-merged/ansible_collections/community/crypto/changelogs/changelog.yaml @@ -0,0 +1,321 @@ +ancestor: null +releases: + 1.0.0: + changes: + bugfixes: + - 'ACME modules: fix bug in ACME v1 account update code' + - 'ACME modules: make sure some connection errors are handled properly' + - 'ACME modules: support Buypass'' ACME v1 endpoint' + - acme_certificate - fix crash when module is used with Python 2.x. + - acme_certificate - fix misbehavior when ACME v1 is used with ``modify_account`` + set to ``false``. + - 'ecs_certificate - Always specify header ``connection: keep-alive`` for ECS + API connections.' + - ecs_certificate - Fix formatting of contents of ``full_chain_path``. + - get_certificate - Fix cryptography backend when pyopenssl is unavailable (https://github.com/ansible/ansible/issues/67900) + - openssh_keypair - add logic to avoid breaking password protected keys. + - openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969). + - openssh_keypair - public key's file attributes (permissions, owner, group, + etc.) are now set to the same values as the private key. + - openssl_* modules - prevent crash on fingerprint determination in FIPS mode + (https://github.com/ansible/ansible/issues/67213). + - 'openssl_certificate - When provider is ``entrust``, use a ``connection: keep-alive`` + header for ECS API connections.' + - openssl_certificate - ``provider`` option was documented as required, but + it was not checked whether it was provided. It is now only required when ``state`` + is ``present``. + - openssl_certificate - fix ``assertonly`` provider certificate verification, + causing 'private key mismatch' and 'subject mismatch' errors. + - openssl_certificate and openssl_csr - fix Ed25519 and Ed448 private key support + for ``cryptography`` backend. This probably needs at least cryptography 2.8, + since older versions have problems with signing certificates or CSRs with + such keys. (https://github.com/ansible/ansible/issues/59039, PR https://github.com/ansible/ansible/pull/63984) + - openssl_csr - a warning is issued if an unsupported value for ``version`` + is used for the ``cryptography`` backend. + - openssl_csr - the module will now enforce that ``privatekey_path`` is specified + when ``state=present``. + - openssl_publickey - fix a module crash caused when pyOpenSSL is not installed + (https://github.com/ansible/ansible/issues/67035). + deprecated_features: + - openssl_csr - all values for the ``version`` option except ``1`` are deprecated. + The value 1 denotes the current only standardized CSR version. + minor_changes: + - luks_device - accept ``passphrase``, ``new_passphrase`` and ``remove_passphrase``. + - luks_device - add ``keysize`` parameter to set key size at LUKS container + creation + - luks_device - added support to use UUIDs, and labels with LUKS2 containers + - luks_device - added the ``type`` option that allows user explicit define the + LUKS container format version + - openssh_keypair - instead of regenerating some broken or password protected + keys, fail the module. Keys can still be regenerated by calling the module + with ``force=yes``. + - openssh_keypair - the ``regenerate`` option allows to configure the module's + behavior when it should or needs to regenerate private keys. + - openssl_* modules - the cryptography backend now properly supports ``dirName``, + ``otherName`` and ``RID`` (Registered ID) names. + - openssl_certificate - Add option for changing which ACME directory to use + with acme-tiny. Set the default ACME directory to Let's Encrypt instead of + using acme-tiny's default. (acme-tiny also uses Let's Encrypt at the time + being, so no action should be neccessary.) + - openssl_certificate - Change the required version of acme-tiny to >= 4.0.0 + - openssl_certificate - allow to provide content of some input files via the + ``csr_content``, ``privatekey_content``, ``ownca_privatekey_content`` and + ``ownca_content`` options. + - openssl_certificate - allow to return the existing/generated certificate directly + as ``certificate`` by setting ``return_content`` to ``yes``. + - openssl_certificate_info - allow to provide certificate content via ``content`` + option (https://github.com/ansible/ansible/issues/64776). + - openssl_csr - Add support for specifying the SAN ``otherName`` value in the + OpenSSL ASN.1 UTF8 string format, ``otherName:<OID>;UTF8:string value``. + - openssl_csr - allow to provide private key content via ``private_key_content`` + option. + - openssl_csr - allow to return the existing/generated CSR directly as ``csr`` + by setting ``return_content`` to ``yes``. + - openssl_csr_info - allow to provide CSR content via ``content`` option. + - openssl_dhparam - allow to return the existing/generated DH params directly + as ``dhparams`` by setting ``return_content`` to ``yes``. + - openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection + can be overwritten with the ``select_crypto_backend`` option. + - openssl_pkcs12 - allow to return the existing/generated PKCS#12 directly as + ``pkcs12`` by setting ``return_content`` to ``yes``. + - openssl_privatekey - add ``format`` and ``format_mismatch`` options. + - openssl_privatekey - allow to return the existing/generated private key directly + as ``privatekey`` by setting ``return_content`` to ``yes``. + - openssl_privatekey - the ``regenerate`` option allows to configure the module's + behavior when it should or needs to regenerate private keys. + - openssl_privatekey_info - allow to provide private key content via ``content`` + option. + - openssl_publickey - allow to provide private key content via ``private_key_content`` + option. + - openssl_publickey - allow to return the existing/generated public key directly + as ``publickey`` by setting ``return_content`` to ``yes``. + release_summary: 'This is the first proper release of the ``community.crypto`` + collection. This changelog contains all changes to the modules in this collection + that were added after the release of Ansible 2.9.0. + + ' + removed_features: + - The ``letsencrypt`` module has been removed. Use ``acme_certificate`` instead. + fragments: + - 1.0.0.yml + - 52408-luks-device.yaml + - 58973-luks_device_add-type-option.yml + - 58973_luks_device-add-label-and-uuid-support.yml + - 60388-openssl_privatekey-format.yml + - 61522-luks-device-add-option-to-define-keysize.yml + - 61658-openssh_keypair-public-key-permissions.yml + - 61693-acme-buypass-acme-v1.yml + - 61738-ecs-certificate-invalid-chain.yaml + - 62218-fix-to-entrust-api.yml + - 62790-openssl_certificate_fix_assert.yml + - 62991-openssl_dhparam-cryptography-backend.yml + - 63140-acme-fix-fetch-url-status-codes.yaml + - 63432-openssl_csr-version.yml + - 63984-openssl-ed25519-ed448.yml + - 64436-openssh_keypair-add-password-protected-key-check.yml + - 64501-fix-python2.x-backward-compatibility.yaml + - 64648-acme_certificate-acmev1.yml + - 65017-openssh_keypair-idempotence.yml + - 65400-openssl-output.yml + - 65435-openssl_csr-privatekey_path-required.yml + - 65633-crypto-argspec-fixup.yml + - 66384-openssl-content.yml + - 67036-openssl_publickey-backend.yml + - 67038-openssl-openssh-key-regenerate.yml + - 67109-openssl_certificate-acme-directory.yaml + - 67515-openssl-fingerprint-fips.yml + - 67669-cryptography-names.yml + - 67901-get_certificate-fix-cryptography.yml + - letsencrypt.yml + - openssl_csr-otherName.yml + modules: + - description: Request validation of a domain with the Entrust Certificate Services + (ECS) API + name: ecs_domain + namespace: '' + - description: Generate Certificate Revocation Lists (CRLs) + name: x509_crl + namespace: '' + - description: Retrieve information on Certificate Revocation Lists (CRLs) + name: x509_crl_info + namespace: '' + release_date: '2020-07-03' + 1.1.0: + changes: + bugfixes: + - acme_inspect - fix problem with Python 3.5 that JSON was not decoded (https://github.com/ansible-collections/community.crypto/issues/86). + - get_certificate - fix ``ca_cert`` option handling when ``proxy_host`` is used + (https://github.com/ansible-collections/community.crypto/pull/84). + - openssl_*, x509_* modules - fix handling of general names which refer to IP + networks and not IP addresses (https://github.com/ansible-collections/community.crypto/pull/92). + minor_changes: + - acme_account - add ``external_account_binding`` option to allow creation of + ACME accounts with External Account Binding (https://github.com/ansible-collections/community.crypto/issues/89). + - 'acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` + parameter (https://github.com/ansible-collections/community.crypto/pull/102).' + - cryptography backends - support arbitrary dotted OIDs (https://github.com/ansible-collections/community.crypto/issues/39). + - get_certificate - add support for SNI (https://github.com/ansible-collections/community.crypto/issues/69). + - luks_device - add support for encryption options on container creation (https://github.com/ansible-collections/community.crypto/pull/97). + - openssh_cert - add support for PKCS#11 tokens (https://github.com/ansible-collections/community.crypto/pull/95). + - openssl_certificate - the PyOpenSSL backend now uses 160 bits of randomness + for serial numbers, instead of a random number between 1000 and 99999. Please + note that this is not a high quality random number (https://github.com/ansible-collections/community.crypto/issues/76). + - openssl_csr - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). + - openssl_csr_info - add support for name constraints extension (https://github.com/ansible-collections/community.crypto/issues/46). + release_summary: 'Release for Ansible 2.10.0. + + ' + fragments: + - 1.1.0.yml + - 100-acme-account-external-account-binding.yml + - 102-acme-certificate-select-chain-first.yml + - 87-acme_inspect-python-3.5.yml + - 90-cryptography-oids.yml + - 90-openssl_certificate-pyopenssl-serial.yml + - 92-ip-networks.yml + - 92-openssl_csr-name-constraints.yml + - get_certificate-add_support_for_SNI.yml + - luks_device-add_encryption_option_on_create.yml + - openssh_cert-pkcs11.yml + modules: + - description: Sign data with openssl + name: openssl_signature + namespace: '' + - description: Verify signatures with openssl + name: openssl_signature_info + namespace: '' + release_date: '2020-08-18' + 1.1.1: + changes: + bugfixes: + - meta/runtime.yml - convert Ansible version numbers for old names of modules + to collection version numbers (https://github.com/ansible-collections/community.crypto/pull/108). + - openssl_csr - improve handling of IDNA errors (https://github.com/ansible-collections/community.crypto/issues/105). + release_summary: Bugfixes for Ansible 2.10.0. + fragments: + - 1.1.1.yml + - 106-openssl_csr-idna-errors.yml + - 108-meta-runtime-versions.yml + release_date: '2020-09-14' + 1.2.0: + changes: + bugfixes: + - openssl_pkcs12 - do not crash when reading PKCS#12 file which has no private + key and/or no main certificate (https://github.com/ansible-collections/community.crypto/issues/103). + minor_changes: + - acme_certificate - allow to pass CSR file as content with new option ``csr_content`` + (https://github.com/ansible-collections/community.crypto/pull/115). + - x509_certificate_info - add ``fingerprints`` return value which returns certificate + fingerprints (https://github.com/ansible-collections/community.crypto/pull/121). + release_summary: Please note that this release fixes a security issue (CVE-2020-25646). + security_fixes: + - openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` + were not marked as ``no_log``, resulting in it being dumped into the system + log by default, and returned in the registered results in the ``invocation`` + field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + - x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, + resulting in it being dumped into the system log by default, and returned + in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125). + fragments: + - 1.2.0.yml + - 109-openssl_pkcs12-crash-no-cert-key.yml + - 115-acme_certificate-csr_content.yml + - 121-x509_certificate_info-fingerprints.yml + - cve-2020-25646.yml + release_date: '2020-10-13' + 1.3.0: + changes: + bugfixes: + - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143). + - support code - improve handling of certificate and certificate signing request + (CSR) loading with the ``cryptography`` backend when errors occur (https://github.com/ansible-collections/community.crypto/issues/138, + https://github.com/ansible-collections/community.crypto/pull/139). + - x509_certificate - fix ``entrust`` provider, which was broken since community.crypto + 0.1.0 due to a feature added before the collection move (https://github.com/ansible-collections/community.crypto/pull/135). + minor_changes: + - openssh_cert - add module parameter ``use_agent`` to enable using signing + keys stored in ssh-agent (https://github.com/ansible-collections/community.crypto/issues/116). + - openssl_csr - refactor module to allow code re-use by openssl_csr_pipe (https://github.com/ansible-collections/community.crypto/pull/123). + - openssl_privatekey - refactor module to allow code re-use by openssl_privatekey_pipe + (https://github.com/ansible-collections/community.crypto/pull/119). + - openssl_privatekey - the elliptic curve ``secp192r1`` now triggers a security + warning. Elliptic curves of at least 224 bits should be used for new keys; + see `here <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec.html#elliptic-curves>`_ + (https://github.com/ansible-collections/community.crypto/pull/132). + - x509_certificate - for the ``selfsigned`` provider, a CSR is not required + anymore. If no CSR is provided, the module behaves as if a minimal CSR which + only contains the public key has been provided (https://github.com/ansible-collections/community.crypto/issues/32, + https://github.com/ansible-collections/community.crypto/pull/129). + - x509_certificate - refactor module to allow code re-use by x509_certificate_pipe + (https://github.com/ansible-collections/community.crypto/pull/135). + release_summary: 'Contains new modules ``openssl_privatekey_pipe``, ``openssl_csr_pipe`` + and ``x509_certificate_pipe`` which allow to create or update private keys, + CSRs and X.509 certificates without having to write them to disk. + + ' + fragments: + - 1.3.0.yml + - 117-openssh_cert-use-ssh-agent.yml + - 129-x509_certificate-no-csr-selfsigned.yml + - 132-openssl_privatekey-ecc-order.yml + - 135-x509_certificate-entrust.yml + - 139-improve-error-handling.yml + - 145-add-check-for-parsed-pkcs12-files.yml + - privatekey-csr-certificate-refactoring.yml + modules: + - description: Generate OpenSSL Certificate Signing Request (CSR) + name: openssl_csr_pipe + namespace: '' + - description: Generate OpenSSL private keys without disk access + name: openssl_privatekey_pipe + namespace: '' + - description: Generate and/or check OpenSSL certificates + name: x509_certificate_pipe + namespace: '' + release_date: '2020-11-24' + 1.4.0: + changes: + bugfixes: + - acme_certificate - error when requested challenge type is not found for non-valid + challenges, instead of hanging on step 2 (https://github.com/ansible-collections/community.crypto/issues/171, + https://github.com/ansible-collections/community.crypto/pull/173). + minor_changes: + - The ACME module_utils has been relicensed back from the Simplified BSD License + (https://opensource.org/licenses/BSD-2-Clause) to the GPLv3+ (same license + used by most other code in this collection). This undoes a licensing change + when the original GPLv3+ licensed code was moved to module_utils in https://github.com/ansible/ansible/pull/40697 + (https://github.com/ansible-collections/community.crypto/pull/165). + - The ``crypto/identify.py`` module_utils has been renamed to ``crypto/pem.py`` + (https://github.com/ansible-collections/community.crypto/pull/166). + - luks_device - ``new_keyfile``, ``new_passphrase``, ``remove_keyfile`` and + ``remove_passphrase`` are now idempotent (https://github.com/ansible-collections/community.crypto/issues/19, + https://github.com/ansible-collections/community.crypto/pull/168). + - luks_device - allow to configure PBKDF (https://github.com/ansible-collections/community.crypto/pull/163). + - openssl_csr, openssl_csr_pipe - allow to specify CRL distribution endpoints + with ``crl_distribution_points`` (https://github.com/ansible-collections/community.crypto/issues/147, + https://github.com/ansible-collections/community.crypto/pull/167). + - openssl_pkcs12 - allow to specify certificate bundles in ``other_certificates`` + by using new option ``other_certificates_parse_all`` (https://github.com/ansible-collections/community.crypto/issues/149, + https://github.com/ansible-collections/community.crypto/pull/166). + release_summary: Release with several new features and bugfixes. + fragments: + - 1.4.0.yml + - 163-luks-pbkdf.yml + - 166-openssl_pkcs12-certificate-bundles.yml + - 167-openssl_csr-crl-distribution-points.yml + - 168-luks_device-add-remove-idempotence.yml + - 173-acme_certificate-wrong-challenge.yml + - acme-module-utils-relicense.yml + release_date: '2021-01-26' |