Security Information / 2019 / Security Information -- DSA-4396-1 ansible

Debian Security Advisory

DSA-4396-1 ansible -- security update

Date Reported:

19 Feb 2019

Affected Packages:

ansible

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-10855, CVE-2018-10875, CVE-2018-16837, CVE-2018-16876, CVE-2019-3828.

More information:

Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system:

• CVE-2018-10855 / CVE-2018-16876

  The no_log task flag wasn't honored, resulting in an information leak.

• CVE-2018-10875

  ansible.cfg was read from the current working directory.

• CVE-2018-16837

  The user module leaked parameters passed to ssh-keygen to the process environment.

• CVE-2019-3828

  The fetch module was susceptible to path traversal.

For the stable distribution (stretch), these problems have been fixed in version 2.2.1.0-2+deb9u1.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ansible