SUSE Package Hub - openSUSE-2022-81

Update Info

openSUSE-2022-81

Security update for ansible

Type: security

Severity: important

Issued: 2022-03-16

Description:

Ansible was updated to 2.9.21 to fix lots of bugs and security issues.

Update to version 2.9.20, maintenance release containing numerous bugfixes.

Update to version 2.9.19 with minor changes and a few bug fixes.

Update to version 2.9.18:

* CVE-2021-20228 where default and fallback values for no_log parameters
  to modules were not previously masked. (bsc#1181935)
* CVE-2021-20178 where several parameters to the snmp_facts module were
  logged and displayed despite containing sensitive information. (bsc#1180816)
* CVE-2021-20180 where several parameters to the
  bitbucket_pipeline_variable were logged and displayed despite
  containing sensitive information. (bsc#1180942)
* CVE-2021-20191 which addresses a number of modules whose parameters
  were logged and displayed despite containing sensitive
  information. For the full list of affected modules, refer to the
  changelog linked below. (bsc#1181119)
 
Update to version 2.9.17 with minor changes and a few bug fixes.

Update to version 2.9.16 with minor changes and many bug fixes.

update to version 2.9.15 with following breaking change:

* ansible-galaxy login command has been removed

update to version 2.9.14 with many small improvements and bug fixes,
most notably:

* kubectl - connection plugin now redact kubectl_token and 
   kubectl_password in console log (CVE-2020-1753 bsc#1166389).

update to version 2.9.13 with many bug fixes, most notably:

* A security issue was addressed in the "dnf" module, which previously
  did not check GPG signatures of packages.
* A bug in the "cron" module was fixed. In some cases prior to this
  fix, the module would inadvertently remove cron entries.

update to version 2.9.12 with many bug fixes,
most notably the following security fixes:

* security issue - copy - Redact the value of the no_log 'content' 
  parameter in the result's invocation.module_args in check mode. 
  Previously when used with check mode and with '-vvv', the module would 
  not censor the content if a change would be made to the destination path. 
  (CVE-2020-14332 bsc#1174302)
* security issue atomic_move - change default permissions when creating 
  temporary files so they are not world readable 
  (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736 bsc#1164134)
* Fix warning for default permission change when no mode is specified. 
  Follow up to https://github.com/ansible/ansible/issues/67794. 
  (CVE-2020-1736)
* Sanitize no_log values from any response keys that might be returned 
  from the uri module (CVE-2020-14330 bsc#1174145).
* reset logging level to INFO due to CVE-2019-14846.

update to version 2.9.11 with many bug fixes

update to version 2.9.10 with many bug fixes.

- Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733
  (bsc#1164140)

update to version 2.9.9

* fix for a regression introduced in 2.9.8

update to version 2.9.8, maintenance release containing numerous bugfixes

update to version 2.9.7 with many bug fixes,
especially for these security issues:

- bsc#1164140 CVE-2020-1733 - insecure temporary directory when
  running become_user from become directive
- bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe
  lookup plugin subprocess
- bsc#1164137 CVE-2020-1735 - path injection on dest parameter
  in fetch module
- bsc#1164134 CVE-2020-1736 atomic_move primitive sets
  permissive permissions
- bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip
  module does not check extracted path
- bsc#1164136 CVE-2020-1738 module package can be selected by
  the ansible facts
- bsc#1164133 CVE-2020-1739  - svn module leaks password when
  specified as a parameter
- bsc#1164135 CVE-2020-1740 - secrets readable after
  ansible-vault edit
- bsc#1165393 CVE-2020-1746 - information disclosure issue in
  ldap_attr and ldap_entry modules
- bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
  sensitive information
- bsc#1167532 CVE-2020-10684 - code injection when using
  ansible_facts as a subkey
- bsc#1167440 CVE-2020-10685 - modules which use files
  encrypted with vault are not properly cleaned up
- bsc#1167873 CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]

Fixed before 2.9.6, but not yet listed:
- bsc#1171162 CVE-2020-10729 two random password lookups in
  same task return same value
- bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone
  module via crafted solaris zone
- bsc#1157969 CVE-2019-14905 malicious code could craft
  filename in nxos_file_copy module
- bsc#1112959 CVE-2018-16837 Information leak in "user" module patch added
- (bsc#1137528) CVE-2019-10156: ansible: templating causing an
- bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569)
- Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
  from current working directory allowing possible code execution

References

CVE: CVE-2021-20228
CVE: CVE-2021-20191
CVE: CVE-2021-20180
CVE: CVE-2021-20178
CVE: CVE-2020-1753
CVE: CVE-2020-1746
CVE: CVE-2020-1740
CVE: CVE-2020-1739
CVE: CVE-2020-1738
CVE: CVE-2020-1737
CVE: CVE-2020-1736
CVE: CVE-2020-1735
CVE: CVE-2020-1734
CVE: CVE-2020-1733
CVE: CVE-2020-14332
CVE: CVE-2020-14330
CVE: CVE-2020-10729
CVE: CVE-2020-10691
CVE: CVE-2020-10685
CVE: CVE-2020-10684
CVE: CVE-2019-14905
CVE: CVE-2019-14904
CVE: CVE-2019-14846
CVE: CVE-2019-10156
CVE: CVE-2018-16837
CVE: CVE-2018-10875
Bugzilla: 1181935 https://bugzilla.opensuse.org/show_bug.cgi?id=1181935
Bugzilla: 1181119 https://bugzilla.opensuse.org/show_bug.cgi?id=1181119
Bugzilla: 1180942 https://bugzilla.opensuse.org/show_bug.cgi?id=1180942
Bugzilla: 1180816 https://bugzilla.opensuse.org/show_bug.cgi?id=1180816
Bugzilla: 1174302 https://bugzilla.opensuse.org/show_bug.cgi?id=1174302
Bugzilla: 1174145 https://bugzilla.opensuse.org/show_bug.cgi?id=1174145
Bugzilla: 1171162 https://bugzilla.opensuse.org/show_bug.cgi?id=1171162
Bugzilla: 1167873 https://bugzilla.opensuse.org/show_bug.cgi?id=1167873
Bugzilla: 1167532 https://bugzilla.opensuse.org/show_bug.cgi?id=1167532
Bugzilla: 1167440 https://bugzilla.opensuse.org/show_bug.cgi?id=1167440
Bugzilla: 1166389 https://bugzilla.opensuse.org/show_bug.cgi?id=1166389
Bugzilla: 1165393 https://bugzilla.opensuse.org/show_bug.cgi?id=1165393
Bugzilla: 1164140 https://bugzilla.opensuse.org/show_bug.cgi?id=1164140
Bugzilla: 1164139 https://bugzilla.opensuse.org/show_bug.cgi?id=1164139
Bugzilla: 1164138 https://bugzilla.opensuse.org/show_bug.cgi?id=1164138
Bugzilla: 1164137 https://bugzilla.opensuse.org/show_bug.cgi?id=1164137
Bugzilla: 1164136 https://bugzilla.opensuse.org/show_bug.cgi?id=1164136
Bugzilla: 1164135 https://bugzilla.opensuse.org/show_bug.cgi?id=1164135
Bugzilla: 1164134 https://bugzilla.opensuse.org/show_bug.cgi?id=1164134
Bugzilla: 1164134 https://bugzilla.opensuse.org/show_bug.cgi?id=1164134
Bugzilla: 1164133 https://bugzilla.opensuse.org/show_bug.cgi?id=1164133
Bugzilla: 1157969 https://bugzilla.opensuse.org/show_bug.cgi?id=1157969
Bugzilla: 1157968 https://bugzilla.opensuse.org/show_bug.cgi?id=1157968
Bugzilla: 1137528 https://bugzilla.opensuse.org/show_bug.cgi?id=1137528
Bugzilla: 1126503 https://bugzilla.opensuse.org/show_bug.cgi?id=1126503
Bugzilla: 1118896 https://bugzilla.opensuse.org/show_bug.cgi?id=1118896
Bugzilla: 1112959 https://bugzilla.opensuse.org/show_bug.cgi?id=1112959
Bugzilla: 1099808 https://bugzilla.opensuse.org/show_bug.cgi?id=1099808

Packages

ansible-2.9.21-bp153.2.3.1