Security update for ansible SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1125-1 Final 1 1 2019-04-03T01:50:46Z current 2019-04-03T01:50:46Z 2019-04-03T01:50:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ansible This update for ansible to version 2.7.8 fixes the following issues: Security issues fixed: - CVE-2018-16837: Fixed an information leak in user module (bsc#1112959). - CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587). - CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503). - CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808). - CVE-2018-16876: Fixed an issue which could allow information disclosure in vvv+ mode with no_log on (bsc#1118896). Other issues addressed: - prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957) Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#id1 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1125 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW E-Mail link for openSUSE-SU-2019:1125-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1099808 SUSE Bug 1099808 https://bugzilla.suse.com/1102126 SUSE Bug 1102126 https://bugzilla.suse.com/1109957 SUSE Bug 1109957 https://bugzilla.suse.com/1112959 SUSE Bug 1112959 https://bugzilla.suse.com/1116587 SUSE Bug 1116587 https://bugzilla.suse.com/1118896 SUSE Bug 1118896 https://bugzilla.suse.com/1126503 SUSE Bug 1126503 https://www.suse.com/security/cve/CVE-2018-10875/ SUSE CVE CVE-2018-10875 page https://www.suse.com/security/cve/CVE-2018-16837/ SUSE CVE CVE-2018-16837 page https://www.suse.com/security/cve/CVE-2018-16859/ SUSE CVE CVE-2018-16859 page https://www.suse.com/security/cve/CVE-2018-16876/ SUSE CVE CVE-2018-16876 page https://www.suse.com/security/cve/CVE-2019-3828/ SUSE CVE CVE-2019-3828 page SUSE Package Hub 12 SUSE Package Hub 15 openSUSE Leap 15.0 ansible-2.7.8-bp150.3.6.1 ansible-2.7.8-bp150.3.6.1 as a component of SUSE Package Hub 12 ansible-2.7.8-bp150.3.6.1 as a component of SUSE Package Hub 15 ansible-2.7.8-bp150.3.6.1 as a component of openSUSE Leap 15.0 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. CVE-2018-10875 SUSE Package Hub 12:ansible-2.7.8-bp150.3.6.1 SUSE Package Hub 15:ansible-2.7.8-bp150.3.6.1 openSUSE Leap 15.0:ansible-2.7.8-bp150.3.6.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW https://www.suse.com/security/cve/CVE-2018-10875.html CVE-2018-10875 https://bugzilla.suse.com/1099808 SUSE Bug 1099808 https://bugzilla.suse.com/1109957 SUSE Bug 1109957 Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list. CVE-2018-16837 SUSE Package Hub 12:ansible-2.7.8-bp150.3.6.1 SUSE Package Hub 15:ansible-2.7.8-bp150.3.6.1 openSUSE Leap 15.0:ansible-2.7.8-bp150.3.6.1 important 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW https://www.suse.com/security/cve/CVE-2018-16837.html CVE-2018-16837 https://bugzilla.suse.com/1112959 SUSE Bug 1112959 Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable. CVE-2018-16859 SUSE Package Hub 12:ansible-2.7.8-bp150.3.6.1 SUSE Package Hub 15:ansible-2.7.8-bp150.3.6.1 openSUSE Leap 15.0:ansible-2.7.8-bp150.3.6.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW https://www.suse.com/security/cve/CVE-2018-16859.html CVE-2018-16859 https://bugzilla.suse.com/1109957 SUSE Bug 1109957 https://bugzilla.suse.com/1116587 SUSE Bug 1116587 ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. CVE-2018-16876 SUSE Package Hub 12:ansible-2.7.8-bp150.3.6.1 SUSE Package Hub 15:ansible-2.7.8-bp150.3.6.1 openSUSE Leap 15.0:ansible-2.7.8-bp150.3.6.1 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW https://www.suse.com/security/cve/CVE-2018-16876.html CVE-2018-16876 https://bugzilla.suse.com/1109957 SUSE Bug 1109957 https://bugzilla.suse.com/1118896 SUSE Bug 1118896 Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. CVE-2019-3828 SUSE Package Hub 12:ansible-2.7.8-bp150.3.6.1 SUSE Package Hub 15:ansible-2.7.8-bp150.3.6.1 openSUSE Leap 15.0:ansible-2.7.8-bp150.3.6.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW/#P7ES2KO7RTXEO4IZY7YGCEBV3XZND5MW https://www.suse.com/security/cve/CVE-2019-3828.html CVE-2019-3828 https://bugzilla.suse.com/1126503 SUSE Bug 1126503 https://bugzilla.suse.com/1164137 SUSE Bug 1164137