[Security] Bump ansible from 2.9.6 to 2.9.20

[dependabot-preview]

Bumps ansible from 2.9.6 to 2.9.20. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Insertion of Sensitive Information into Log File, Invocation of Process Using Visible Sensitive Information, and Exposure of Sensitive Information to an Unauthorized Actor in Ansible A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

Affected versions: >= 2.9.0, < 2.9.7

Sourced from The GitHub Security Advisory Database.

Path Traversal in Ansible A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Affected versions: >= 2.7.0, <= 2.9.19

Sourced from The GitHub Security Advisory Database.

Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.

Affected versions: >= 2.9.0, < 2.9.7

Sourced from The GitHub Security Advisory Database.

Exposure of Sensitive Information to an Unauthorized Actor and Insecure Temporary File in Ansible A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Affected versions: >= 2.9.0, < 2.9.7

Commits

• d5f2ef4 New release v2.9.20
• 910f4b7 Update Ansible release version to v2.9.20rc1.post0.
• 470b3f5 New release v2.9.20rc1
• fab9bf1 New AWS module mod_defaults - rds_option_group (_info) modules (#74098)
• 6c471c4 New AWS module mod_defaults - wafv2 modules (#73975)
• 042d8ef [stable-2.9] Fix: nmcli bridge-slave fails with error (#74125)
• 7b048c4 [backport/2.9] module_defaults: Add rds_snapshot (#74113)
• 0d668b6 [stable-2.9] find - set proper default based on use_regex (#73961) (#73966)
• f8caa43 add optional module_utils import support (#73832) (#73916)
• 1592c8b [stable-2.9] Ensure task from the worker is finalized/squashed (#73881) (#73929)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)