Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

SUSE: 2018:4130-1 Moderate: Ansible Security Vulnerability Advisory

suse
Calendar Grey December 14, 2018
Dist Suse Esm H88
SUSE releases critical update for ansible, addressing a range of vulnerabilities impacting several distributions. Immediate application recommended.
An update that fixes three vulnerabilities is now available

Summary

This update for ansible fixes the following issues: Ansible was updated to ansible 2.4.6.0. The full release notes can be found on: https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md Security issues fixed: - CVE-2018-10875: ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. (bsc#1099808) - CVE-2018-10874: It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. (bsc#1099805) - CVE-2018-10855: Ansible did not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data

References

#1097775 #1099805 #1099808

Cross- CVE-2018-10855 CVE-2018-10874 CVE-2018-10875

Affected Products:

SUSE OpenStack Cloud Crowbar 8

SUSE OpenStack Cloud 8

HPE Helion Openstack 8

https://www.suse.com/security/cve/CVE-2018-10855.html

https://www.suse.com/security/cve/CVE-2018-10874.html

https://www.suse.com/security/cve/CVE-2018-10875.html

https://bugzilla.suse.com/1097775

https://bugzilla.suse.com/1099805

https://bugzilla.suse.com/1099808

Announcement ID: SUSE-SU-2018:4130-1
Rating: moderate

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here