There is a point release for Ansible that addresses a few issues, including a couple of Security issues:
- Security Fix – avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir
- Security Fix – avoid using ansible.cfg in a world writable dir.
This is in addition to the Security fix in 2.6 that caused the no_log option to be ignored in certain situations, potentially resulting in private task info being logged.
At a minimum we’re recommending our clients move to the 2.6 Stable release, although we haven’t seen any issues with 2.6.1 in our testing.
