Описание
Security update for ansible
This update for ansible to version 2.7.8 fixes the following issues:
Security issues fixed:
- CVE-2018-16837: Fixed an information leak in user module (bsc#1112959).
- CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587).
- CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503).
- CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808).
- CVE-2018-16876: Fixed an issue which could allow information disclosure in vvv+ mode with no_log on (bsc#1118896).
Other issues addressed:
- prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957)
Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#id1
Список пакетов
SUSE Package Hub 12
SUSE Package Hub 15
openSUSE Leap 15.0
Ссылки
- E-Mail link for openSUSE-SU-2019:1125-1
- SUSE Security Ratings
- SUSE Bug 1099808
- SUSE Bug 1102126
- SUSE Bug 1109957
- SUSE Bug 1112959
- SUSE Bug 1116587
- SUSE Bug 1118896
- SUSE Bug 1126503
- SUSE CVE CVE-2018-10875 page
- SUSE CVE CVE-2018-16837 page
- SUSE CVE CVE-2018-16859 page
- SUSE CVE CVE-2018-16876 page
- SUSE CVE CVE-2019-3828 page
Описание
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
Затронутые продукты
Ссылки
- CVE-2018-10875
- SUSE Bug 1099808
- SUSE Bug 1109957
Описание
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Затронутые продукты
Ссылки
- CVE-2018-16837
- SUSE Bug 1112959
Описание
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Затронутые продукты
Ссылки
- CVE-2018-16859
- SUSE Bug 1109957
- SUSE Bug 1116587
Описание
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
Затронутые продукты
Ссылки
- CVE-2018-16876
- SUSE Bug 1109957
- SUSE Bug 1118896
Описание
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Затронутые продукты
Ссылки
- CVE-2019-3828
- SUSE Bug 1126503
- SUSE Bug 1164137