This update for ansible fixes the following issues: Ansible was updated to ansible 2.4.6.0. The full release notes can be found on: https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md Security issues fixed: - CVE-2018-10875: ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. (bsc#1099808) - CVE-2018-10874: It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. (bsc#1099805) - CVE-2018-10855: Ansible did not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data
#1097775 #1099805 #1099808
Cross- CVE-2018-10855 CVE-2018-10874 CVE-2018-10875
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
HPE Helion Openstack 8
https://www.suse.com/security/cve/CVE-2018-10855.html
https://www.suse.com/security/cve/CVE-2018-10874.html
https://www.suse.com/security/cve/CVE-2018-10875.html
https://bugzilla.suse.com/1097775
https://bugzilla.suse.com/1099805
https://bugzilla.suse.com/1099808
Get the latest Linux and open source security news straight to your inbox.