openSUSE Security Update: Security update for ansible
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2019:1635-1
Rating:             moderate
References:         #1109957 #1112959 #1118896 #1126503 
Cross-References:   CVE-2018-16837 CVE-2018-16859 CVE-2018-16876
                    CVE-2019-3828
Affected Products:
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:

   This update for ansible fixes the following issues:

   Ansible was updated to version 2.8.1:

   Full changelog is at /usr/share/doc/packages/ansible/changelogs/

   - Bugfixes

     - ACI - DO not encode query_string
     - ACI modules - Fix non-signature authentication
     - Add missing directory provided via ``--playbook-dir`` to adjacent
       collection loading
     - Fix "Interface not found" errors when using eos_l2_interface with
       nonexistant interfaces configured
     - Fix cannot get credential when `source_auth` set to `credential_file`.
     - Fix netconf_config backup string issue
     - Fix privilege escalation support for the docker connection plugin when
       credentials need to be supplied (e.g. sudo with password).
     - Fix vyos cli prompt inspection
     - Fixed loading namespaced documentation fragments from collections.
     - Fixing bug came up after running cnos_vrf module against coverity.
     - Properly handle data importer failures on PVC creation, instead of
       timing out.
     - To fix the ios static route TC failure in CI
     - To fix the nios member module params
     - To fix the nios_zone module idempotency failure
     - add terminal initial prompt for initial connection
     - allow include_role to work with ansible command
     - allow python_requirements_facts to report on dependencies containing
       dashes
     - asa_config fix
     - azure_rm_roledefinition - fix a small error in build scope.
     - azure_rm_virtualnetworkpeering - fix cross subscriptions virtual
       network peering.
     - cgroup_perf_recap - When not using file_per_task, make sure we don't
       prematurely close the perf files
     - display underlying error when reporting an invalid ``tasks:`` block.
     - dnf - fix wildcard matching for state: absent
     - docker connection plugin - accept version ``dev`` as 'newest version'
       and print warning.
     - docker_container - ``oom_killer`` and ``oom_score_adj`` options are
       available since docker-py 1.8.0, not 2.0.0 as assumed by the version
       check.
     - docker_container - fix network creation when
       ``networks_cli_compatible`` is enabled.
     - docker_container - use docker API's ``restart`` instead of
       ``stop``/``start`` to restart a container.
     - docker_image - if ``build`` was not specified, the wrong default for
       ``build.rm`` is used.
     - docker_image - if ``nocache`` set to ``yes`` but not
       ``build.nocache``, the module failed.
     - docker_image - module failed when ``source: build`` was set but
       ``build.path`` options not specified.
     - docker_network module - fix idempotency when using ``aux_addresses``
       in ``ipam_config``.
     - ec2_instance - make Name tag idempotent
     - eos: don't fail modules without become set, instead show message and
       continue
     - eos_config: check for session support when asked to 'diff_against:
       session'
     - eos_eapi: fix idempotency issues when vrf was unspecified.
     - fix bugs for ce - more info see
     - fix incorrect uses of to_native that should be to_text instead.
     - hcloud_volume - Fix idempotency when attaching a server to a volume.
     - ibm_storage - Added a check for null fields in ibm_storage utils
       module.
     - include_tasks - whitelist ``listen`` as a valid keyword
     - k8s - resource updates applied with force work correctly now
     - keep results subset also when not no_log.
     - meraki_switchport - improve reliability with native VLAN functionality.
     - netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
       clearing functionality
     - netapp_e_volumes - fix workload profileId indexing when no previous
       workload tags exist on the storage array.
     - nxos_acl some platforms/versions raise when no ACLs are present
     - nxos_facts fix 
     - nxos_file_copy fix passwordless workflow
     - nxos_interface Fix admin_state check for n6k
     - nxos_snmp_traps fix group all for N35 platforms
     - nxos_snmp_user fix platform fixes for get_snmp_user
     - nxos_vlan mode idempotence bug
     - nxos_vlan vlan names containing regex ctl chars should be escaped
     - nxos_vtp_* modules fix n6k issues
     - openssl_certificate - fix private key passphrase handling for
       ``cryptography`` backend.
     - openssl_pkcs12 - fixes crash when private key has a passphrase and the
       module is run a second time.
     - os_stack - Apply tags conditionally so that the module does not throw
       up an error when using an older distro of openstacksdk
     - pass correct loading context to persistent connections other than local
     - pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
     - postgresql - added initial SSL related tests
     - postgresql - added missing_required_libs, removed excess param mapping
     - postgresql - move connect_to_db and get_pg_version into
       module_utils/postgres.py
       (https://github.com/ansible/ansible/pull/55514)
     - postgresql_db - add note to the documentation about state dump and the
       incorrect rc (https://github.com/ansible/ansible/pull/57297)
     - postgresql_db - fix for postgresql_db fails if stderr contains output
     - postgresql_ping - fixed a typo in the module documentation
     - preserve actual ssh error when we cannot connect.
     - route53_facts - the module did not advertise check mode support,
       causing it not to be run in check mode.
     - sysctl: the module now also checks the output of STDERR to report if
       values are correctly set
       (https://github.com/ansible/ansible/pull/55695)
     - ufw - correctly check status when logging is off
     - uri - always return a value for status even during failure
     - urls - Handle redirects properly for IPv6 address by not splitting on
       ``:`` and rely on already parsed hostname and port values
     - vmware_vm_facts - fix the support with regular ESXi
     - vyos_interface fix 
     - we don't really need to template vars on definition as we do this on
       demand in templating.
     - win_acl - Fix qualifier parser when using UNC paths -
     - win_hostname - Fix non netbios compliant name handling
     - winrm - Fix issue when attempting to parse CLIXML on send input failure
     - xenserver_guest - fixed an issue where VM whould be powered off even
       though check mode is used if reconfiguration requires VM to be powered
       off.
     - xenserver_guest - proper error message is shown when maximum number of
       network interfaces is reached and multiple network interfaces are
       added at
       once.
     - yum - Fix false error message about autoremove not being supported
     - yum - fix failure when using ``update_cache`` standalone
     - yum - handle special "_none_" value for proxy in yum.conf and .repo
       files

   Update to version 2.8.0

   Major changes:

     * Experimental support for Ansible Collections and content namespacing -
       Ansible content can now be packaged in a collection and addressed via
       namespaces. This allows for easier sharing, distribution, and
       installation
       of bundled modules/roles/plugins, and consistent rules for accessing
        specific content via namespaces.
     * Python interpreter discovery - The first time a Python module runs on
       a target, Ansible will attempt to discover the proper default Python
       interpreter to use for the target platform/version (instead of
       immediately defaulting to /usr/bin/python). You can override this
       behavior by setting ansible_python_interpreter or via config. (see
       https://github.com/ansible/ansible/pull/50163)
     * become - The deprecated CLI arguments for --sudo, --sudo-user,
       --ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed,
        in favor of the more generic --become, --become-user,
        --become-method, and
       --ask-become-pass.
     * become - become functionality has been migrated to a plugin
       architecture, to allow customization of become functionality and 3rd
       party become methods (https://github.com/ansible/ansible/pull/50991)

   - addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837

   For the full changelog see /usr/share/doc/packages/ansible/changelogs or
   online:
   .
   8.rst


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2019-1635=1



Package List:

   - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

      ansible-2.8.1-12.1


References:

   https://www.suse.com/security/cve/CVE-2018-16837.html
   https://www.suse.com/security/cve/CVE-2018-16859.html
   https://www.suse.com/security/cve/CVE-2018-16876.html
   https://www.suse.com/security/cve/CVE-2019-3828.html
   https://bugzilla.suse.com/1109957
   https://bugzilla.suse.com/1112959
   https://bugzilla.suse.com/1118896
   https://bugzilla.suse.com/1126503

--

openSUSE: 2019:1635-1: moderate: ansible

June 27, 2019
An update that fixes four vulnerabilities is now available.

Description

This update for ansible fixes the following issues: Ansible was updated to version 2.8.1: Full changelog is at /usr/share/doc/packages/ansible/changelogs/ - Bugfixes - ACI - DO not encode query_string - ACI modules - Fix non-signature authentication - Add missing directory provided via ``--playbook-dir`` to adjacent collection loading - Fix "Interface not found" errors when using eos_l2_interface with nonexistant interfaces configured - Fix cannot get credential when `source_auth` set to `credential_file`. - Fix netconf_config backup string issue - Fix privilege escalation support for the docker connection plugin when credentials need to be supplied (e.g. sudo with password). - Fix vyos cli prompt inspection - Fixed loading namespaced documentation fragments from collections. - Fixing bug came up after running cnos_vrf module against coverity. - Properly handle data importer failures on PVC creation, instead of timing out. - To fix the ios static route TC failure in CI - To fix the nios member module params - To fix the nios_zone module idempotency failure - add terminal initial prompt for initial connection - allow include_role to work with ansible command - allow python_requirements_facts to report on dependencies containing dashes - asa_config fix - azure_rm_roledefinition - fix a small error in build scope. - azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network peering. - cgroup_perf_recap - When not using file_per_task, make sure we don't prematurely close the perf files - display underlying error when reporting an invalid ``tasks:`` block. - dnf - fix wildcard matching for state: absent - docker connection plugin - accept version ``dev`` as 'newest version' and print warning. - docker_container - ``oom_killer`` and ``oom_score_adj`` options are available since docker-py 1.8.0, not 2.0.0 as assumed by the version check. - docker_container - fix network creation when ``networks_cli_compatible`` is enabled. - docker_container - use docker API's ``restart`` instead of ``stop``/``start`` to restart a container. - docker_image - if ``build`` was not specified, the wrong default for ``build.rm`` is used. - docker_image - if ``nocache`` set to ``yes`` but not ``build.nocache``, the module failed. - docker_image - module failed when ``source: build`` was set but ``build.path`` options not specified. - docker_network module - fix idempotency when using ``aux_addresses`` in ``ipam_config``. - ec2_instance - make Name tag idempotent - eos: don't fail modules without become set, instead show message and continue - eos_config: check for session support when asked to 'diff_against: session' - eos_eapi: fix idempotency issues when vrf was unspecified. - fix bugs for ce - more info see - fix incorrect uses of to_native that should be to_text instead. - hcloud_volume - Fix idempotency when attaching a server to a volume. - ibm_storage - Added a check for null fields in ibm_storage utils module. - include_tasks - whitelist ``listen`` as a valid keyword - k8s - resource updates applied with force work correctly now - keep results subset also when not no_log. - meraki_switchport - improve reliability with native VLAN functionality. - netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and clearing functionality - netapp_e_volumes - fix workload profileId indexing when no previous workload tags exist on the storage array. - nxos_acl some platforms/versions raise when no ACLs are present - nxos_facts fix - nxos_file_copy fix passwordless workflow - nxos_interface Fix admin_state check for n6k - nxos_snmp_traps fix group all for N35 platforms - nxos_snmp_user fix platform fixes for get_snmp_user - nxos_vlan mode idempotence bug - nxos_vlan vlan names containing regex ctl chars should be escaped - nxos_vtp_* modules fix n6k issues - openssl_certificate - fix private key passphrase handling for ``cryptography`` backend. - openssl_pkcs12 - fixes crash when private key has a passphrase and the module is run a second time. - os_stack - Apply tags conditionally so that the module does not throw up an error when using an older distro of openstacksdk - pass correct loading context to persistent connections other than local - pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux - postgresql - added initial SSL related tests - postgresql - added missing_required_libs, removed excess param mapping - postgresql - move connect_to_db and get_pg_version into module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514) - postgresql_db - add note to the documentation about state dump and the incorrect rc (https://github.com/ansible/ansible/pull/57297) - postgresql_db - fix for postgresql_db fails if stderr contains output - postgresql_ping - fixed a typo in the module documentation - preserve actual ssh error when we cannot connect. - route53_facts - the module did not advertise check mode support, causing it not to be run in check mode. - sysctl: the module now also checks the output of STDERR to report if values are correctly set (https://github.com/ansible/ansible/pull/55695) - ufw - correctly check status when logging is off - uri - always return a value for status even during failure - urls - Handle redirects properly for IPv6 address by not splitting on ``:`` and rely on already parsed hostname and port values - vmware_vm_facts - fix the support with regular ESXi - vyos_interface fix - we don't really need to template vars on definition as we do this on demand in templating. - win_acl - Fix qualifier parser when using UNC paths - - win_hostname - Fix non netbios compliant name handling - winrm - Fix issue when attempting to parse CLIXML on send input failure - xenserver_guest - fixed an issue where VM whould be powered off even though check mode is used if reconfiguration requires VM to be powered off. - xenserver_guest - proper error message is shown when maximum number of network interfaces is reached and multiple network interfaces are added at once. - yum - Fix false error message about autoremove not being supported - yum - fix failure when using ``update_cache`` standalone - yum - handle special "_none_" value for proxy in yum.conf and .repo files Update to version 2.8.0 Major changes: * Experimental support for Ansible Collections and content namespacing - Ansible content can now be packaged in a collection and addressed via namespaces. This allows for easier sharing, distribution, and installation of bundled modules/roles/plugins, and consistent rules for accessing specific content via namespaces. * Python interpreter discovery - The first time a Python module runs on a target, Ansible will attempt to discover the proper default Python interpreter to use for the target platform/version (instead of immediately defaulting to /usr/bin/python). You can override this behavior by setting ansible_python_interpreter or via config. (see https://github.com/ansible/ansible/pull/50163) * become - The deprecated CLI arguments for --sudo, --sudo-user, --ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in favor of the more generic --become, --become-user, --become-method, and --ask-become-pass. * become - become functionality has been migrated to a plugin architecture, to allow customization of become functionality and 3rd party become methods (https://github.com/ansible/ansible/pull/50991) - addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837 For the full changelog see /usr/share/doc/packages/ansible/changelogs or online: . 8.rst

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2019-1635=1


Package List

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): ansible-2.8.1-12.1


References

https://www.suse.com/security/cve/CVE-2018-16837.html https://www.suse.com/security/cve/CVE-2018-16859.html https://www.suse.com/security/cve/CVE-2018-16876.html https://www.suse.com/security/cve/CVE-2019-3828.html https://bugzilla.suse.com/1109957 https://bugzilla.suse.com/1112959 https://bugzilla.suse.com/1118896 https://bugzilla.suse.com/1126503--


Severity
Announcement ID: openSUSE-SU-2019:1635-1
Rating: moderate
Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved