Lucene search

K
suseSuseOPENSUSE-SU-2019:1635-1
HistoryJun 27, 2019 - 12:00 a.m.

Security update for ansible (moderate)

2019-06-2700:00:00
lists.opensuse.org
557

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

62.7%

An update that fixes four vulnerabilities is now available.

Description:

This update for ansible fixes the following issues:

Ansible was updated to version 2.8.1:

Full changelog is at /usr/share/doc/packages/ansible/changelogs/

  • Bugfixes

    • ACI - DO not encode query_string
    • ACI modules - Fix non-signature authentication
    • Add missing directory provided via --playbook-dir to adjacent
      collection loading
    • Fix “Interface not found” errors when using eos_l2_interface with
      nonexistant interfaces configured
    • Fix cannot get credential when source_auth set to credential_file.
    • Fix netconf_config backup string issue
    • Fix privilege escalation support for the docker connection plugin when
      credentials need to be supplied (e.g. sudo with password).
    • Fix vyos cli prompt inspection
    • Fixed loading namespaced documentation fragments from collections.
    • Fixing bug came up after running cnos_vrf module against coverity.
    • Properly handle data importer failures on PVC creation, instead of
      timing out.
    • To fix the ios static route TC failure in CI
    • To fix the nios member module params
    • To fix the nios_zone module idempotency failure
    • add terminal initial prompt for initial connection
    • allow include_role to work with ansible command
    • allow python_requirements_facts to report on dependencies containing
      dashes
    • asa_config fix
    • azure_rm_roledefinition - fix a small error in build scope.
    • azure_rm_virtualnetworkpeering - fix cross subscriptions virtual
      network peering.
    • cgroup_perf_recap - When not using file_per_task, make sure we don’t
      prematurely close the perf files
    • display underlying error when reporting an invalid tasks: block.
    • dnf - fix wildcard matching for state: absent
    • docker connection plugin - accept version dev as ‘newest version’
      and print warning.
    • docker_container - oom_killer and oom_score_adj options are
      available since docker-py 1.8.0, not 2.0.0 as assumed by the version
      check.
    • docker_container - fix network creation when
      networks_cli_compatible is enabled.
    • docker_container - use docker API’s restart instead of
      stop/start to restart a container.
    • docker_image - if build was not specified, the wrong default for
      build.rm is used.
    • docker_image - if nocache set to yes but not
      build.nocache, the module failed.
    • docker_image - module failed when source: build was set but
      build.path options not specified.
    • docker_network module - fix idempotency when using aux_addresses
      in ipam_config.
    • ec2_instance - make Name tag idempotent
    • eos: don’t fail modules without become set, instead show message and
      continue
    • eos_config: check for session support when asked to ‘diff_against:
      session’
    • eos_eapi: fix idempotency issues when vrf was unspecified.
    • fix bugs for ce - more info see
    • fix incorrect uses of to_native that should be to_text instead.
    • hcloud_volume - Fix idempotency when attaching a server to a volume.
    • ibm_storage - Added a check for null fields in ibm_storage utils
      module.
    • include_tasks - whitelist listen as a valid keyword
    • k8s - resource updates applied with force work correctly now
    • keep results subset also when not no_log.
    • meraki_switchport - improve reliability with native VLAN functionality.
    • netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
      clearing functionality
    • netapp_e_volumes - fix workload profileId indexing when no previous
      workload tags exist on the storage array.
    • nxos_acl some platforms/versions raise when no ACLs are present
    • nxos_facts fix <https://github.com/ansible/ansible/pull/57009&gt;
    • nxos_file_copy fix passwordless workflow
    • nxos_interface Fix admin_state check for n6k
    • nxos_snmp_traps fix group all for N35 platforms
    • nxos_snmp_user fix platform fixes for get_snmp_user
    • nxos_vlan mode idempotence bug
    • nxos_vlan vlan names containing regex ctl chars should be escaped
    • nxos_vtp_* modules fix n6k issues
    • openssl_certificate - fix private key passphrase handling for
      cryptography backend.
    • openssl_pkcs12 - fixes crash when private key has a passphrase and the
      module is run a second time.
    • os_stack - Apply tags conditionally so that the module does not throw
      up an error when using an older distro of openstacksdk
    • pass correct loading context to persistent connections other than local
    • pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
    • postgresql - added initial SSL related tests
    • postgresql - added missing_required_libs, removed excess param mapping
    • postgresql - move connect_to_db and get_pg_version into
      module_utils/postgres.py
      (https://github.com/ansible/ansible/pull/55514)
    • postgresql_db - add note to the documentation about state dump and the
      incorrect rc (https://github.com/ansible/ansible/pull/57297)
    • postgresql_db - fix for postgresql_db fails if stderr contains output
    • postgresql_ping - fixed a typo in the module documentation
    • preserve actual ssh error when we cannot connect.
    • route53_facts - the module did not advertise check mode support,
      causing it not to be run in check mode.
    • sysctl: the module now also checks the output of STDERR to report if
      values are correctly set
      (https://github.com/ansible/ansible/pull/55695)
    • ufw - correctly check status when logging is off
    • uri - always return a value for status even during failure
    • urls - Handle redirects properly for IPv6 address by not splitting on
      : and rely on already parsed hostname and port values
    • vmware_vm_facts - fix the support with regular ESXi
    • vyos_interface fix <https://github.com/ansible/ansible/pull/57169&gt;
    • we don’t really need to template vars on definition as we do this on
      demand in templating.
    • win_acl - Fix qualifier parser when using UNC paths -
    • win_hostname - Fix non netbios compliant name handling
    • winrm - Fix issue when attempting to parse CLIXML on send input failure
    • xenserver_guest - fixed an issue where VM whould be powered off even
      though check mode is used if reconfiguration requires VM to be powered
      off.
    • xenserver_guest - proper error message is shown when maximum number of
      network interfaces is reached and multiple network interfaces are
      added at
      once.
    • yum - Fix false error message about autoremove not being supported
    • yum - fix failure when using update_cache standalone
    • yum - handle special “none” value for proxy in yum.conf and .repo
      files

Update to version 2.8.0

Major changes:

 * Experimental support for Ansible Collections and content namespacing -
   Ansible content can now be packaged in a collection and addressed via
   namespaces. This allows for easier sharing, distribution, and
   installation
   of bundled modules/roles/plugins, and consistent rules for accessing
    specific content via namespaces.
 * Python interpreter discovery - The first time a Python module runs on
   a target, Ansible will attempt to discover the proper default Python
   interpreter to use for the target platform/version (instead of
   immediately defaulting to /usr/bin/python). You can override this
   behavior by setting ansible_python_interpreter or via config. (see
   https://github.com/ansible/ansible/pull/50163)
 * become - The deprecated CLI arguments for --sudo, --sudo-user,
   --ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed,
    in favor of the more generic --become, --become-user,
    --become-method, and
   --ask-become-pass.
 * become - become functionality has been migrated to a plugin
   architecture, to allow customization of become functionality and 3rd
   party become methods (https://github.com/ansible/ansible/pull/50991)
  • addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837

For the full changelog see /usr/share/doc/packages/ansible/changelogs or
online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.
8.rst

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 42.3:

    zypper in -t patch openSUSE-2019-1635=1

  • openSUSE Leap 15.1:

    zypper in -t patch openSUSE-2019-1635=1

  • openSUSE Leap 15.0:

    zypper in -t patch openSUSE-2019-1635=1

  • openSUSE Backports SLE-15:

    zypper in -t patch openSUSE-2019-1635=1

  • SUSE Package Hub for SUSE Linux Enterprise 12:

    zypper in -t patch openSUSE-2019-1635=1

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

62.7%

Related for OPENSUSE-SU-2019:1635-1