Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
172
security advisorysoftware updateaccess controlUbuntu 20.04-14.04: USN-7330-1 critical: Ansible security issues
Several security issues were fixed in Ansible.. ========================================================================== Ubuntu Security Notice USN-7330-1 March 05, 2025 ansible vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Ansible. Software Description: - ansible: Configuration management, deployment, and task execution system Details: It was discovered that Ansible did not properly verify certain fields of X.509 certificates. An attacker could possibly use this issue to spoof SSL servers if they were able to intercept network communications. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908) Martin Carpenter discovered that certain connection plugins for Ansible did not properly restrict users. An attacker with local access could possibly use this issue to escape a restricted environment via symbolic links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240) Robin Schneider discovered that Ansible's apt_key module did not properly verify key fingerprints. A remote attacker could possibly use this issue to perform key injection, leading to the access of sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8614) It was discovered that Ansible would expose passwords in certain instances. An attacker could possibly use specially crafted input related to this issue to access sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206) It was discovered that Ansible incorrectly logged sensitive information. An attacker with local access could possibly use this issue to access sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846) It wasdiscovered that Ansible's solaris_zone module accepted input without performing input checking. A remote attacker could possibly use this issue to enable the execution of arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904) It was discovered that Ansible did not generate sufficiently random values, which could lead to the exposure of passwords. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10729) It was discovered that Ansible's svn module could disclose passwords to users within the same node. An attacker could possibly use this issue to access sensitive information. (CVE-2020-1739) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS ansible 2.9.6+dfsg-1ubuntu0.1~esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS ansible 2.5.1+dfsg-1ubuntu0.1+esm5 Available with Ubuntu Pro Ubuntu 16.04 LTS ansible 2.0.0.2-2ubuntu1.3+esm5 Available with Ubuntu Pro ansible-fireball 2.0.0.2-2ubuntu1.3+esm5 Available with Ubuntu Pro ansible-node-fireball 2.0.0.2-2ubuntu1.3+esm5 Available with Ubuntu Pro Ubuntu 14.04 LTS ansible 1.5.4+dfsg-1ubuntu0.1~esm3 Available with Ubuntu Pro ansible-fireball 1.5.4+dfsg-1ubuntu0.1~esm3 Available with Ubuntu Pro ansible-node-fireball 1.5.4+dfsg-1ubuntu0.1~esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7330-1 CVE-2015-3908, CVE-2015-6240, CVE-2016-8614, CVE-2019-10206, CVE-2019-14846, CVE-2019-14904, CVE-2020-10729, CVE-2020-1739 . A critical security alert from Ansible uncovers several threats necessitating prompt upgrades to protect Ubuntu installations.. ansible security, Ubuntu updates, security issues, configuration management, software vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Mar 06, 2025
•Critical
Ubuntu
89
security advisoryupdateFedoraFedora 31: 2020-0450cfd7e3 Critical: Ansible SSH-Based Task Execution
Update to upstream bugfix and security release 2.9.13.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-0450cfd7e3 2020-09-12 16:36:51.588651 --------------------------------------------------------------------------------Name : ansible Product : Fedora 31 Version : 2.9.13 Release : 1.fc31 URL : https://www.redhat.com/en/ansible-collaborative Summary : SSH-based configuration management, deployment, and task execution system Description : Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. --------------------------------------------------------------------------------Update Information: Update to upstream bugfix and security release 2.9.13. --------------------------------------------------------------------------------ChangeLog: * Tue Sep 1 2020 Kevin Fenzi - 2.9.13-1 - Update to 2.9.13. Fixes CVE-2020-14365 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-0450cfd7e3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Sep 12, 2020
•Critical
Fedora
197
security advisorydebianconfiguration managementDebian: DLA-2202-1 Critical: Ansible Credentials Disclosure Issues
Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. . Package : ansible Version : 1.7.2+dfsg-2+deb8u3 CVE ID : CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740 Debian Bug : 942188 Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. CVE-2019-14846 Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. CVE-2020-1733 A race condition flaw was found when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p dir"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/pid/cmdline'. CVE-2020-1739 A flaw was found when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. CVE-2020-1740 A flaw was found when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. For Debian 8 "Jessie", these problems have been fixed inversion 1.7.2+dfsg-2+deb8u3. We recommend that you upgrade your ansible packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Ensure your ansible packages are updated on Debian 8, as recent versions have resolved security issues.. Ansible Security Update, Debian LTS, Task Execution Flaws, Configuration Management. . Severity: Critical. LinuxSecurity.com Team
May 05, 2020
•Critical
Debian LTS
89
security advisoryFedoraconfiguration managementFedora 31: FEDORA-2020-caf7f7d0d9 Critical: Ansible 2.9.3 Update Advisory
Update to bugfix release 2.9.3. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-caf7f7d0d9 2020-01-31 01:59:12.859064 --------------------------------------------------------------------------------Name : ansible Product : Fedora 31 Version : 2.9.3 Release : 1.fc31 URL : https://www.redhat.com/en/ansible-collaborative?intcmp=7015Y000003t7aWQAQ/ Summary : SSH-based configuration management, deployment, and task execution system Description : Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. --------------------------------------------------------------------------------Update Information: Update to bugfix release 2.9.3. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst --------------------------------------------------------------------------------ChangeLog: * Thu Jan 16 2020 Kevin Fenzi - 2.9.3-1 - Update to 2.9.3. * Sun Dec 8 2019 Kevin Fenzi - 2.9.2-1 - Update to 2.9.2. * Thu Nov 14 2019 Kevin Fenzi - 2.9.1-2 - Add Requires for python3-pyyaml * Wed Nov 13 2019 Kevin Fenzi - 2.9.1-1 - Update to 2.9.1. * Fri Nov 8 2019 Kevin Fenzi - 2.9.0-2 - Supress pwsh requires added by rpm. * Thu Oct 31 2019 Kevin Fenzi - 2.9.0-1 - Update to 2.9.0. * Thu Oct 17 2019 Kevin Fenzi - 2.8.6-1 - Update to 2.8.6. - Rework spec file to drop old conditionals. * Thu Oct 10 2019 Kevin Fenzi - 2.8.5-2 - Make python3-paramiko and python3-winrm Recommended so they install on Fedora and notRHEL8 --------------------------------------------------------------------------------References: [ 1 ] Bug #1777692 - CVE-2019-14905 ansible: malicious code could craft filename in nxos_file_copy module [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777692 [ 2 ] Bug #1777689 - CVE-2019-14904 ansible: vulnerability in solaris_zone module via crafted solaris zone [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1777689 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-caf7f7d0d9' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 30, 2020
•Critical
Fedora
172
security advisoryUbuntulocal attackUbuntu 19.04 LTS: Ansible Security Advisory USN-4072-1 Released
Several security issues were fixed in Ansible.. =========================================================================Ubuntu Security Notice USN-4072-1 July 24, 2019 ansible vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Ansible. Software Description: - ansible: Configuration management, deployment, and task execution system Details: It was discovered that Ansible failed to properly handle sensitive information. A local attacker could use those vulnerabilities to extract them. (CVE-2017-7481) (CVE-2018-10855) (CVE-2018-16837) (CVE-2018-16876) (CVE-2019-10156) It was discovered that Ansible could load configuration files from the current working directory containing crafted commands. An attacker could run arbitrary code as result. (CVE-2018-10874) (CVE-2018-10875) It was discovered that Ansible fetch module had a path traversal vulnerability. A local attacker could copy and overwrite files outside of the specified destination. (CVE-2019-3828) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: ansible 2.7.8+dfsg-1ubuntu0.19.04.1 Ubuntu 18.04 LTS: ansible 2.5.1+dfsg-1ubuntu0.1 Ubuntu 16.04 LTS: ansible 2.0.0.2-2ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4072-1 CVE-2017-7481, CVE-2018-10855, CVE-2018-10874, CVE-2018-10875, CVE-2018-16837, CVE-2018-16876, CVE-2019-10156, CVE-2019-3828 Package Information: https://launchpad.net/ubuntu/+source/ansible/2.7.8+dfsg-1ubuntu0.19.04.1 https://launchpad.net/ubuntu/+source/ansible/2.5.1+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/ansible/2.0.0.2-2ubuntu1.3 . Ubuntu versions 19.04,18.04 LTS, and 16.04 LTS have received security patches for Ansible vulnerabilities. Users should apply updates ASAP. Ansible Security, Ubuntu Update, Configuration Management, Security Advisory. . Severity: Important. LinuxSecurity.com Team
Jul 24, 2019
•Important
Ubuntu
89
security advisoryFedorapatchFedora 24: 2016-3113e71193 Moderate: Ansible Security Patch Details
Add patch to fix dnf module groupinstall handling ---- Update to new ansible 2.2 version. For full changes see: https://github.com/ansible/ansible/blob/stable-2.2/CHANGELOG.md. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-3113e71193 2016-11-07 18:37:53.924803 -------------------------------------------------------------------------------- Name : ansible Product : Fedora 24 Version : 2.2.0.0 Release : 3.fc24 URL : https://www.redhat.com/en/ansible-collaborative Summary : SSH-based configuration management, deployment, and task execution system Description : Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. -------------------------------------------------------------------------------- Update Information: Add patch to fix dnf module groupinstall handling ---- Update to new ansible 2.2 version. For full changes see: https://github.com/ansible/ansible/blob/stable-2.2/CHANGELOG.md -------------------------------------------------------------------------------- References: [ 1 ] Bug #1388531 - [Errno 25] Inappropriate ioctl for device https://bugzilla.redhat.com/show_bug.cgi?id=1388531 [ 2 ] Bug #1387621 - dnf module doesn't work with a rawhide host https://bugzilla.redhat.com/show_bug.cgi?id=1387621 [ 3 ] Bug #1381538 - NameError: global name 'AnsibleError' is not defined https://bugzilla.redhat.com/show_bug.cgi?id=1381538 [ 4 ] Bug #1390650 - CVE-2016-8614 ansible: Improper verification of key fingerprints in apt_key module [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1390650 [ 5 ] Bug #1390646 - CVE-2016-8628 ansible: Command injection by compromised server viaansible_ssh_executable or ssh_args [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1390646 [ 6 ] Bug #1390564 - ansible-2.2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1390564 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade ansible' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Nov 07, 2016
•Important
Fedora
89
security advisoryFedoraplugin securityFedora 21: 1.9.2 Moderate Ansible Security Update on Hostname Issues
Update to 1.9.2. Fixes CVE-2015-3908 (hostname and cert matching in some modules and plugins) and another not yet issued CVE on chroot/jail/zone connection plugins as well as a number of bugfixes.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-10807 2015-06-26 18:11:49 -------------------------------------------------------------------------------- Name : ansible Product : Fedora 21 Version : 1.9.2 Release : 1.fc21 URL : https://www.redhat.com/en/ansible-collaborative Summary : SSH-based configuration management, deployment, and task execution system Description : Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. -------------------------------------------------------------------------------- Update Information: Update to 1.9.2. Fixes CVE-2015-3908 (hostname and cert matching in some modules and plugins) and another not yet issued CVE on chroot/jail/zone connection plugins as well as a number of bugfixes. -------------------------------------------------------------------------------- ChangeLog: * Thu Jun 25 2015 Kevin Fenzi 1.9.2-1 - Update to 1.9.2 * Tue Jun 16 2015 Fedora Release Engineering - 1.9.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Wed May 27 2015 Toshio Kuratomi - 1.9.1-2 - Fix for dnf * Tue Apr 28 2015 Kevin Fenzi 1.9.1-1 - Update to 1.9.1 * Wed Mar 25 2015 Kevin Fenzi 1.9.0.1-2 - Drop upstreamed epel6 patches. * Wed Mar 25 2015 Kevin Fenzi 1.9.0.1-1 - Update to 1.9.0.1 * Wed Mar 25 2015 Kevin Fenzi 1.9.0-1 - Update to 1.9.0 * Thu Feb 19 2015 Kevin Fenzi 1.8.4-1 - Update to 1.8.4 * Tue Feb 17 2015 Kevin Fenzi 1.8.3-1 - Update to 1.8.3 * Sun Jan 11 2015 ToshioKuratomi - 1.8.2-3 - Work around a bug in python2.6 by using simplejson (applies in EPEL6) * Wed Dec 17 2014 Michael Scherer 1.8.2-2 - precreate /etc/ansible/roles and /usr/share/ansible_plugins * Sun Dec 7 2014 Kevin Fenzi 1.8.2-1 - Update to 1.8.2 * Thu Nov 27 2014 Kevin Fenzi 1.8.1-1 - Update to 1.8.1 * Tue Nov 25 2014 Kevin Fenzi 1.8-2 - Rebase el6 patch * Tue Nov 25 2014 Kevin Fenzi 1.8-1 - Update to 1.8 * Thu Oct 9 2014 Toshio Kuratomi - 1.7.2-2 - Add /usr/bin/ansible to the rhel6 newer pycrypto patch -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ansible' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Jul 05, 2015
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!