openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Security update for ansible

Ansible was updated to 2.9.21 to fix lots of bugs and security issues.

Update to version 2.9.20, maintenance release containing numerous bugfixes.

Update to version 2.9.19 with minor changes and a few bug fixes.

Update to version 2.9.18:

* CVE-2021-20228 where default and fallback values for no_log parameters
to modules were not previously masked. (bsc#1181935)
* CVE-2021-20178 where several parameters to the snmp_facts module were
logged and displayed despite containing sensitive information. (bsc#1180816)
* CVE-2021-20180 where several parameters to the
bitbucket_pipeline_variable were logged and displayed despite
containing sensitive information. (bsc#1180942)
* CVE-2021-20191 which addresses a number of modules whose parameters
were logged and displayed despite containing sensitive
information. For the full list of affected modules, refer to the
changelog linked below. (bsc#1181119)

Update to version 2.9.17 with minor changes and a few bug fixes.

Update to version 2.9.16 with minor changes and many bug fixes.

update to version 2.9.15 with following breaking change:

* ansible-galaxy login command has been removed

update to version 2.9.14 with many small improvements and bug fixes,
most notably:

* kubectl - connection plugin now redact kubectl_token and
kubectl_password in console log (CVE-2020-1753 bsc#1166389).

update to version 2.9.13 with many bug fixes, most notably:

* A security issue was addressed in the "dnf" module, which previously
did not check GPG signatures of packages.
* A bug in the "cron" module was fixed. In some cases prior to this
fix, the module would inadvertently remove cron entries.

update to version 2.9.12 with many bug fixes,
most notably the following security fixes:

* security issue - copy - Redact the value of the no_log 'content'
parameter in the result's invocation.module_args in check mode.
Previously when used with check mode and with '-vvv', the module would
not censor the content if a change would be made to the destination path.
(CVE-2020-14332 bsc#1174302)
* security issue atomic_move - change default permissions when creating
temporary files so they are not world readable
(https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736 bsc#1164134)
* Fix warning for default permission change when no mode is specified.
Follow up to https://github.com/ansible/ansible/issues/67794.
(CVE-2020-1736)
* Sanitize no_log values from any response keys that might be returned
from the uri module (CVE-2020-14330 bsc#1174145).
* reset logging level to INFO due to CVE-2019-14846.

update to version 2.9.11 with many bug fixes

update to version 2.9.10 with many bug fixes.

- Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733
(bsc#1164140)

update to version 2.9.9

* fix for a regression introduced in 2.9.8

update to version 2.9.8, maintenance release containing numerous bugfixes

update to version 2.9.7 with many bug fixes,
especially for these security issues:

- bsc#1164140 CVE-2020-1733 - insecure temporary directory when
running become_user from become directive
- bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe
lookup plugin subprocess
- bsc#1164137 CVE-2020-1735 - path injection on dest parameter
in fetch module
- bsc#1164134 CVE-2020-1736 atomic_move primitive sets
permissive permissions
- bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip
module does not check extracted path
- bsc#1164136 CVE-2020-1738 module package can be selected by
the ansible facts
- bsc#1164133 CVE-2020-1739 - svn module leaks password when
specified as a parameter
- bsc#1164135 CVE-2020-1740 - secrets readable after
ansible-vault edit
- bsc#1165393 CVE-2020-1746 - information disclosure issue in
ldap_attr and ldap_entry modules
- bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
sensitive information
- bsc#1167532 CVE-2020-10684 - code injection when using
ansible_facts as a subkey
- bsc#1167440 CVE-2020-10685 - modules which use files
encrypted with vault are not properly cleaned up
- bsc#1167873 CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]

Fixed before 2.9.6, but not yet listed:
- bsc#1171162 CVE-2020-10729 two random password lookups in
same task return same value
- bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone
module via crafted solaris zone
- bsc#1157969 CVE-2019-14905 malicious code could craft
filename in nxos_file_copy module
- bsc#1112959 CVE-2018-16837 Information leak in "user" module patch added
- (bsc#1137528) CVE-2019-10156: ansible: templating causing an
- bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569)
- Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
from current working directory allowing possible code execution

Submitted by Marcus Meissner (msmeissn)

Fixed bugs

CVE-2018-10875

CVE-2018-16837

bnc#1164134

VUL-1: CVE-2020-1736: ansible: atomic_move primitive sets permissive permissions

bnc#1099808

VUL-0: CVE-2018-10875: ansible: ansible.cfg is being read from current working directory allowing possible code execution

bnc#1112959

VUL-0: CVE-2018-16837: ansible: Information leak in "user" module

bnc#1126503

VUL-1: CVE-2019-3828: ansible: path traversal in the fetch module

bnc#1118896

VUL-1: CVE-2018-16876: ansible: Information disclosure in vvv+ mode with no_log on

CVE-2019-10156

bnc#1137528

VUL-1: CVE-2019-10156: ansible: templating causing an unexpected key file to be set on remote node

VUL-0: CVE-2019-14904: ansible: vulnerability in solaris_zone module via crafted solaris zone

bnc#1157969

VUL-0: CVE-2019-14905: ansible: malicious code could craft filename in nxos_file_copy module

bnc#1164133

VUL-1: CVE-2020-1739: ansible: svn module leaks password when specified as a parameter

bnc#1164134

VUL-1: CVE-2020-1736: ansible: atomic_move primitive sets permissive permissions

bnc#1164135

VUL-1: CVE-2020-1740: ansible: secrets readable after ansible-vault edit

bnc#1164136

VUL-1: CVE-2020-1738: ansible: module package can be selected by the ansible facts

bnc#1164137

VUL-1: CVE-2020-1735: ansible: path injection on dest parameter in fetch module

bnc#1164138

VUL-0: CVE-2020-1737: ansible: Extract-Zip function in win_unzip module does not check extracted path

bnc#1164139

VUL-0: CVE-2020-1734: ansible: shell enabled by default in a pipe lookup plugin subprocess

bnc#1164140

VUL-1: CVE-2020-1733: ansible: insecure temporary directory when running become_user

bnc#1165393

VUL-1: CVE-2020-1746: ansible,ansible1: Information disclosure issue in ldap_attr and ldap_entry modules

bnc#1166389

VUL-1: CVE-2020-1753: ansible: kubectl connection plugin leaks sensitive information

bnc#1167440

VUL-1: CVE-2020-10685: ansible,ansible1: modules which use files encrypted with vault are not properly cleaned up

bnc#1167873

VUL-0: CVE-2020-10691: ansible,ansible1: archive traversal vulnerability in ansible-galaxy collection install

bnc#1171162

VUL-0: CVE-2020-10729: ansible,ansible1: two random password lookups in same task return same value

bnc#1167532

VUL-0: CVE-2020-10684: ansible,ansible1: code injection when using ansible_facts as a subkey

bnc#1174302

VUL-1: CVE-2020-14332: ansible,ansible1: module_args does not censor properly in --check mode

bnc#1181935

VUL-0: CVE-2021-20228: ansible: basic.py no_log with fallback option

bnc#1180816

VUL-0: CVE-2021-20178: ansible1,ansible: user data leak in snmp_facts module

bnc#1180942

VUL-0: CVE-2021-20180: ansible,ansible1: bitbucket_pipeline_variable exposes sensitive values

bnc#1181119

VUL-0: CVE-2021-20191: ansible1,ansible: multiple collections exposes secured values

bnc#1174145

VUL-1: CVE-2020-14330: ansible: "no log" values are not stripped from module response keys

Places

Fixed bugs

Selected Binaries

Places