Debian: DSA-4396-1: ansible security update

Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system: CVE-2018-10855 / CVE-2018-16876

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4396-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                       Moritz Muehlenhoff
February 19, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ansible
CVE ID         : CVE-2018-10855 CVE-2018-10875 CVE-2018-16837 CVE-2018-16876 
                 CVE-2019-3828

Several vulnerabilities have been found in Ansible, a configuration
management, deployment, and task execution system:

CVE-2018-10855 / CVE-2018-16876

    The no_log task flag wasn't honored, resulting in an information leak.

CVE-2018-10875

    ansible.cfg was read from the current working directory.

CVE-2018-16837

    The user module leaked parameters passed to ssh-keygen to the process
    environment.

CVE-2019-3828

    The fetch module was susceptible to path traversal.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.1.0-2+deb9u1.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.