Configuration management, deployment, and task execution system
Save this URL for the latest version of "ansible":
Other versions of "ansible" in Bionic
ansible (2.5.1+dfsg-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Fix a vulnerability in inventory variables where an
attacker could run arbitrary code.
- debian/patches/CVE-2018-10874.patch: Avoid loading vars on unspecified
* SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
to a plugin or a module path under control and execute arbitrary code.
- debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
* SECURITY UPDATE: Avoid information disclosure in log and command line.
- debian/patches/CVE-2018-10855.patch: no_log even when task_result
doesn't provide key.
- debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
on command line.
- debian/patches/CVE-2018-16876.patch: Ensure ssh retry respects no log.
* SECURITY UPDATE: Fix traversal path vulnerability which allows copying
and overwriting files outside of the specified destination in the local
ansible controller host, by not restricting an absolute path.
- debian/patches/CVE-2019-3828.patch: Disallow use of remote home
directories containing ".." in their path
* SECURITY UPDATE: Sensitive information could be exposed to remote node.
- debian/patches/CVE-2019-10156-1.patch: Don't pass locals.
- debian/patches/CVE-2019-10156-2.patch: Fixed tests.
-- Paulo Flabiano Smorigo <email address hidden> Thu, 11 Jul 2019 17:55:43 -0300
||In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's con
||A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module pat
||Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect
||Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases c
||ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of
||Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of t
||templating causing an unexpected key file to be set on remote node
Send Feedback to @ubuntu_updates