UbuntuUpdates.org

Package "ansible"

Name: ansible

Description:

Configuration management, deployment, and task execution system

Latest version: 2.0.0.2-2ubuntu1.3
Release: xenial (16.04)
Level: security
Repository: universe
Homepage: http://ansible.com

Links

Save this URL for the latest version of "ansible": https://www.ubuntuupdates.org/ansible


Download "ansible"


Other versions of "ansible" in Xenial

Repository Area Version
base universe 2.0.0.2-2
updates universe 2.0.0.2-2ubuntu1.3
backports universe 2.1.1.0-1~ubuntu16.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.0.0.2-2ubuntu1.3 2019-07-22 20:06:14 UTC

  ansible (2.0.0.2-2ubuntu1.3) xenial-security; urgency=medium

  * SECURITY REGRESSION: Fix indentation, missing dependencies, and calls.
    - debian/patches/CVE-2018-10875.patch: Fix indentation and dependency.
    - debian/patches/CVE-2018-16837.patch: Fix dependency.
    - debian/patches/CVE-2017-7481.patch: Fix function call.
    - CVE-2017-7481
    - CVE-2018-10875
    - CVE-2018-16837

 -- Paulo Flabiano Smorigo <email address hidden> Wed, 17 Jul 2019 21:47:58 -0300

Source diff to previous version
CVE-2018-10875 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module pat
CVE-2018-16837 Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases c
CVE-2017-7481 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of looku

Version: 2.0.0.2-2ubuntu1.2 2019-07-17 20:07:19 UTC

  ansible (2.0.0.2-2ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Fix vulnerability where a local user could use symlinks
    to write arbitrary files or gain privileges.
    - debian/patches/CVE-2016-3096.patch: Do not use a predictable filenames
      in the LXC plugin.
    - CVE-2016-3096
  * SECURITY UPDATE: Avoid unicode strings injection.
    - debian/patches/CVE-2017-7481.patch: Fixing security issue with lookup
      returns not tainting the jinja2 environment.
    - CVE-2017-7481
  * SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
    to a plugin or a module path under control and execute arbitrary code.
    - debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
      writable cwd.
    - CVE-2018-10875
  * SECURITY UPDATE: Avoid information disclosure in log and command line.
    - debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
      on command line.
    - CVE-2018-16837

 -- Paulo Flabiano Smorigo <email address hidden> Fri, 12 Jul 2019 11:48:46 -0300

Source diff to previous version
CVE-2016-3096 The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary file
CVE-2017-7481 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of looku
CVE-2018-10875 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module pat
CVE-2018-16837 Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases c

Version: 2.0.0.2-2ubuntu1.1 2018-08-22 20:06:16 UTC

  ansible (2.0.0.2-2ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution on ansible controller
    - debian/patches/CVE-2016-9587-1.patch: Fixing security bugs by sanitizing
      facts
    - debian/patches/CVE-2016-9587-2.patch: Additional fixes for security
    - NOTE: When CVE-2016-9587 was fixed, it included commit
      bcceada5d9b78ad77069c78226f8e9b336ff8949. It was found that it was still
      possible to exploit the vulnerability after this commit. Commit
      0d418789a298561fded9bce977d34babc9097079 reverted bcceada5 and resolved
      CVE-2017-7466. By not applying commit bcceada5, CVE-2017-7466 is
      resolved. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466
      for more detail.
    - CVE-2016-8628, CVE-2016-9587, CVE-2017-7466

 -- Mike Salvatore <email address hidden> Fri, 17 Aug 2018 10:50:20 -0400

CVE-2016-9587 Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacke
CVE-2017-7466 Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a cl
CVE-2016-8628 Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create speci



About   -   Send Feedback to @ubuntu_updates