UbuntuUpdates.org

Package "ansible"

Name: ansible

Description:

Configuration management, deployment, and task execution system
Latest version: 2.5.1+dfsg-1ubuntu0.1
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://www.ansible.com

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "ansible"

All arch deb package
APT INSTALL

Other versions of "ansible" in Bionic

Repository Area Version
base universe 2.5.1+dfsg-1
updates universe 2.5.1+dfsg-1ubuntu0.1

Changelog

Version: 2.5.1+dfsg-1ubuntu0.1 2019-07-17 20:07:26 UTC

  ansible (2.5.1+dfsg-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Fix a vulnerability in inventory variables where an
    attacker could run arbitrary code.
    - debian/patches/CVE-2018-10874.patch: Avoid loading vars on unspecified
      basedir (cwd).
    - CVE-2018-10874
  * SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
    to a plugin or a module path under control and execute arbitrary code.
    - debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
      writable cwd.
    - CVE-2018-10875
  * SECURITY UPDATE: Avoid information disclosure in log and command line.
    - debian/patches/CVE-2018-10855.patch: no_log even when task_result
      doesn't provide key.
    - debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
      on command line.
    - debian/patches/CVE-2018-16876.patch: Ensure ssh retry respects no log.
    - CVE-2018-10855
    - CVE-2018-16837
    - CVE-2018-16876
  * SECURITY UPDATE: Fix traversal path vulnerability which allows copying
    and overwriting files outside of the specified destination in the local
    ansible controller host, by not restricting an absolute path.
    - debian/patches/CVE-2019-3828.patch: Disallow use of remote home
      directories containing ".." in their path
    - CVE-2019-3828
  * SECURITY UPDATE: Sensitive information could be exposed to remote node.
    - debian/patches/CVE-2019-10156-1.patch: Don't pass locals.
    - debian/patches/CVE-2019-10156-2.patch: Fixed tests.
    - CVE-2019-10156

 -- Paulo Flabiano Smorigo <email address hidden> Thu, 11 Jul 2019 17:55:43 -0300
CVE-2018-10874 In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's con
CVE-2018-10875 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module pat
CVE-2018-10855 Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect
CVE-2018-16837 Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases c
CVE-2018-16876 ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of
CVE-2019-3828 Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of t
CVE-2019-10156 templating causing an unexpected key file to be set on remote node


About   -   Send Feedback to @ubuntu_updates