Submit a story to LinuxSecurity!

Thanks very much for your interest in sharing your story with us. Our site is driven by users like you.

Post anonymously

Please also feel free to using our GPG key (found on our About page) or email us at This email address is being protected from spambots. You need JavaScript enabled to view it.

 

    Back

    Debian: DSA-4396-1: ansible security update

    Date19 Feb 2019
    CategoryDebian
    5571
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system: CVE-2018-10855 / CVE-2018-16876 
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4396-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                       Moritz Muehlenhoff
February 19, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ansible
CVE ID         : CVE-2018-10855 CVE-2018-10875 CVE-2018-16837 CVE-2018-16876 
                 CVE-2019-3828

Several vulnerabilities have been found in Ansible, a configuration
management, deployment, and task execution system:

CVE-2018-10855 / CVE-2018-16876

    The no_log task flag wasn't honored, resulting in an information leak.

CVE-2018-10875

    ansible.cfg was read from the current working directory.

CVE-2018-16837

    The user module leaked parameters passed to ssh-keygen to the process
    environment.

CVE-2019-3828

    The fetch module was susceptible to path traversal.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.1.0-2+deb9u1.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.

    Related News

    Fake EFF site serving espionage malware was likely active for 3+ weeks
    Fake EFF site serving espionage malware was likely active for 3+ weeks
    Full Disk Encryption Dos and Don'ts
    Full Disk Encryption Dos and Don'ts
    PKI Doesn’t Have To Be Perfect To Be Worthwhile
    PKI Doesn’t Have To Be Perfect To Be Worthwhile
    Updated CERT Activity Notes
    Updated CERT Activity Notes
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    Advisories

    Debian: DSA-4416-1: wireshark security update
    Date24 Mar 2019 @ 09:01
    Debian: DSA-4415-1: passenger security update
    Date24 Mar 2019 @ 07:02
    ArchLinux: 201903-14: firefox: arbitrary code execution
    Date24 Mar 2019 @ 05:34
    Debian: DSA-4414-1: libapache2-mod-auth-mellon security update
    Date23 Mar 2019 @ 15:33

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

    Learn More