UbuntuUpdates.org

Package "ansible"

Name: ansible

Description:

Configuration management, deployment, and task execution system

Latest version: 2.5.1+dfsg-1ubuntu0.1
Release: bionic (18.04)
Level: updates
Repository: universe
Homepage: https://www.ansible.com

Links


Download "ansible"


Other versions of "ansible" in Bionic

Repository Area Version
base universe 2.5.1+dfsg-1
security universe 2.5.1+dfsg-1ubuntu0.1

Changelog

Version: 2.5.1+dfsg-1ubuntu0.1 2019-07-17 20:07:27 UTC

  ansible (2.5.1+dfsg-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Fix a vulnerability in inventory variables where an
    attacker could run arbitrary code.
    - debian/patches/CVE-2018-10874.patch: Avoid loading vars on unspecified
      basedir (cwd).
    - CVE-2018-10874
  * SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
    to a plugin or a module path under control and execute arbitrary code.
    - debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
      writable cwd.
    - CVE-2018-10875
  * SECURITY UPDATE: Avoid information disclosure in log and command line.
    - debian/patches/CVE-2018-10855.patch: no_log even when task_result
      doesn't provide key.
    - debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
      on command line.
    - debian/patches/CVE-2018-16876.patch: Ensure ssh retry respects no log.
    - CVE-2018-10855
    - CVE-2018-16837
    - CVE-2018-16876
  * SECURITY UPDATE: Fix traversal path vulnerability which allows copying
    and overwriting files outside of the specified destination in the local
    ansible controller host, by not restricting an absolute path.
    - debian/patches/CVE-2019-3828.patch: Disallow use of remote home
      directories containing ".." in their path
    - CVE-2019-3828
  * SECURITY UPDATE: Sensitive information could be exposed to remote node.
    - debian/patches/CVE-2019-10156-1.patch: Don't pass locals.
    - debian/patches/CVE-2019-10156-2.patch: Fixed tests.
    - CVE-2019-10156

 -- Paulo Flabiano Smorigo <email address hidden> Thu, 11 Jul 2019 17:55:43 -0300

CVE-2018-10874 In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's con
CVE-2018-10875 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module pat
CVE-2018-10855 Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect
CVE-2018-16837 Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases c
CVE-2018-16876 ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of
CVE-2019-3828 Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of t
CVE-2019-10156 templating causing an unexpected key file to be set on remote node



About   -   Send Feedback to @ubuntu_updates