diff options
author | Sylvain Beucler <beuc@beuc.net> | 2020-05-05 16:18:58 +0200 |
---|---|---|
committer | Sylvain Beucler <beuc@beuc.net> | 2020-05-05 16:18:58 +0200 |
commit | ead2e8d97a3a41854042efd7727b6da7fe4b05b7 (patch) | |
tree | b5542ea7cb47745f8f575e6b27a8cf2f7f2e411b /english | |
parent | a5e4e9174786c758beaf054ccc6c89b05a203dc4 (diff) |
DLA-2202-1
Diffstat (limited to 'english')
-rw-r--r-- | english/lts/security/2020/dla-2202.data | 10 | ||||
-rw-r--r-- | english/lts/security/2020/dla-2202.wml | 61 |
2 files changed, 71 insertions, 0 deletions
diff --git a/english/lts/security/2020/dla-2202.data b/english/lts/security/2020/dla-2202.data new file mode 100644 index 00000000000..b3c47354d5b --- /dev/null +++ b/english/lts/security/2020/dla-2202.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-2202-1 ansible</define-tag> +<define-tag report_date>2020-05-05</define-tag> +<define-tag secrefs>CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740 Bug#942188</define-tag> +<define-tag packages>ansible</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2020/dla-2202.wml b/english/lts/security/2020/dla-2202.wml new file mode 100644 index 00000000000..8973197f747 --- /dev/null +++ b/english/lts/security/2020/dla-2202.wml @@ -0,0 +1,61 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> + +<p>Several vulnerabilities were discovered in Ansible, a configuration +management, deployment, and task execution system.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2019-14846">CVE-2019-14846</a> + + <p>Ansible was logging at the DEBUG level which lead to a disclosure + of credentials if a plugin used a library that logged credentials + at the DEBUG level. This flaw does not affect Ansible modules, as + those are executed in a separate process.</p> + +<p></p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-1733">CVE-2020-1733</a> + + <p>A race condition flaw was found when running a playbook with an + unprivileged become user. When Ansible needs to run a module with + become user, the temporary directory is created in /var/tmp. This + directory is created with "umask 77 && mkdir -p dir"; this + operation does not fail if the directory already exists and is + owned by another user. An attacker could take advantage to gain + control of the become user as the target directory can be + retrieved by iterating '/proc/pid/cmdline'.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-1739">CVE-2020-1739</a> + + <p>A flaw was found when a password is set with the argument + <q>password</q> of svn module, it is used on svn command line, + disclosing to other users within the same node. An attacker could + take advantage by reading the cmdline file from that particular + PID on the procfs.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2020-1740">CVE-2020-1740</a> + + <p>A flaw was found when using Ansible Vault for editing encrypted + files. When a user executes "ansible-vault edit", another user on + the same computer can read the old and new secret, as it is + created in a temporary file with mkstemp and the returned file + descriptor is closed and the method write_data is called to write + the existing secret in the file. This method will delete the file + before recreating it insecurely.</p></li> + +</ul> + +<p>For Debian 8 <q>Jessie</q>, these problems have been fixed in version +1.7.2+dfsg-2+deb8u3.</p> + +<p>We recommend that you upgrade your ansible packages.</p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2020/dla-2202.data" +# $Id: $ |