SUSE Package Hub - openSUSE-2019-1125

Update Info

openSUSE-2019-1125

Security update for ansible

Type: security

Severity: moderate

Issued: 2019-04-03

Description:

This update for ansible to version 2.7.8 fixes the following issues:

Security issues fixed: 	  

- CVE-2018-16837: Fixed an information leak in user module (bsc#1112959).
- CVE-2018-16859: Fixed an issue which clould allow logging of password in plaintext in Windows powerShell (bsc#1116587).
- CVE-2019-3828: Fixed a path traversal vulnerability in fetch module (bsc#1126503).
- CVE-2018-10875: Fixed a potential code execution in ansible.cfg (bsc#1099808).
- CVE-2018-16876: Fixed an issue which could allow  information disclosure in vvv+ mode with no_log on (bsc#1118896).

Other issues addressed: 

- prepare update to 2.7.8 for multiple releases (boo#1102126, boo#1109957)

Release notes: https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#id1

References

CVE: CVE-2019-3828
CVE: CVE-2018-16876
CVE: CVE-2018-16859
CVE: CVE-2018-16837
CVE: CVE-2018-10875
Bugzilla: 1126503 VUL-1: CVE-2019-3828: ansible: path traversal in the fetch module
Bugzilla: 1118896 VUL-1: CVE-2018-16876: ansible: Information disclosure in vvv+ mode with no_log on
Bugzilla: 1116587 VUL-1: CVE-2018-16859: ansible: become password logged in plaintext when used with PowerShell on Windows
Bugzilla: 1112959 VUL-0: CVE-2018-16837: ansible: Information leak in "user" module
Bugzilla: 1109957 ansible firewalld module fails
Bugzilla: 1102126 Ansible zypper module fails
Bugzilla: 1099808 VUL-0: CVE-2018-10875: ansible: ansible.cfg is being read from current working directory allowing possible code execution

Packages

ansible-2.7.8-bp150.3.6.1