Mageia 2020-0060: ansible security update

    Date27 Jan 2020
    138
    Posted ByLinuxSecurity Advisories
    A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the
    MGASA-2020-0060 - Updated ansible package fixes security vulnerabilities
    
    Publication date: 28 Jan 2020
    URL: https://advisories.mageia.org/MGASA-2020-0060.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2019-14904,
         CVE-2019-14905
    
    A flaw was found in the solaris_zone module from the Ansible Community
    modules. When setting the name for the zone on the Solaris host, the
    zone name is checked by listing the process with the 'ps' bare command
    on the remote machine. An attacker could take advantage of this flaw by
    crafting the name of the zone and executing arbitrary commands in the
    remote host (CVE-2019-14904).
    
    A vulnerability in Ansible's nxos_file_copy module can be used to copy
    files to a flash or bootflash on NXOS devices. Malicious code could
    craft the filename parameter to perform OS command injections. This
    could result in a loss of confidentiality of the system among other
    issues (CVE-2019-14905).
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=26125
    - https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst
    - https://access.redhat.com/errata/RHSA-2020:0217
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14905
    
    SRPMS:
    - 7/core/ansible-2.7.16-1.mga7
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"35","type":"x","order":"1","pct":92.11,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"2","type":"x","order":"2","pct":5.26,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"1","type":"x","order":"3","pct":2.63,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.