Lucene search

K
suseSuseOPENSUSE-SU-2022:0081-1
HistoryMar 16, 2022 - 12:00 a.m.

Security update for ansible (important)

2022-03-1600:00:00
lists.opensuse.org
37

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.1 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:C/I:P/A:P

An update that solves 26 vulnerabilities and has one errata
is now available.

Description:

Ansible was updated to 2.9.21 to fix lots of bugs and security issues.

Update to version 2.9.20, maintenance release containing numerous bugfixes.

Update to version 2.9.19 with minor changes and a few bug fixes.

Update to version 2.9.18:

  • CVE-2021-20228 where default and fallback values for no_log parameters
    to modules were not previously masked. (bsc#1181935)
  • CVE-2021-20178 where several parameters to the snmp_facts module were
    logged and displayed despite containing sensitive information.
    (bsc#1180816)
  • CVE-2021-20180 where several parameters to the
    bitbucket_pipeline_variable were logged and displayed despite containing
    sensitive information. (bsc#1180942)
  • CVE-2021-20191 which addresses a number of modules whose parameters were
    logged and displayed despite containing sensitive information. For the
    full list of affected modules, refer to the changelog linked below.
    (bsc#1181119)

Update to version 2.9.17 with minor changes and a few bug fixes.

Update to version 2.9.16 with minor changes and many bug fixes.

update to version 2.9.15 with following breaking change:

  • ansible-galaxy login command has been removed

update to version 2.9.14 with many small improvements and bug fixes, most
notably:

  • kubectl - connection plugin now redact kubectl_token and
    kubectl_password in console log (CVE-2020-1753 bsc#1166389).

update to version 2.9.13 with many bug fixes, most notably:

  • A security issue was addressed in the “dnf” module, which previously did
    not check GPG signatures of packages.
  • A bug in the “cron” module was fixed. In some cases prior to this fix,
    the module would inadvertently remove cron entries.

update to version 2.9.12 with many bug fixes, most notably the following
security fixes:

  • security issue - copy - Redact the value of the no_log ‘content’
    parameter in the result’s invocation.module_args in check mode.
    Previously when used with check mode and with ‘-vvv’, the module would
    not censor the content if a change would be made to the destination
    path. (CVE-2020-14332 bsc#1174302)
  • security issue atomic_move - change default permissions when creating
    temporary files so they are not world readable
    (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736
    bsc#1164134)
  • Fix warning for default permission change when no mode is specified.
    Follow up to https://github.com/ansible/ansible/issues/67794.
    (CVE-2020-1736)
  • Sanitize no_log values from any response keys that might be returned
    from the uri module (CVE-2020-14330 bsc#1174145).
  • reset logging level to INFO due to CVE-2019-14846.

update to version 2.9.11 with many bug fixes

update to version 2.9.10 with many bug fixes.

  • Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733 (bsc#1164140)

update to version 2.9.9

  • fix for a regression introduced in 2.9.8

update to version 2.9.8, maintenance release containing numerous bugfixes

update to version 2.9.7 with many bug fixes, especially for these security
issues:

  • bsc#1164140 CVE-2020-1733 - insecure temporary directory when running
    become_user from become directive
  • bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe lookup
    plugin subprocess
  • bsc#1164137 CVE-2020-1735 - path injection on dest parameter in fetch
    module
  • bsc#1164134 CVE-2020-1736 atomic_move primitive sets permissive
    permissions
  • bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip module
    does not check extracted path
  • bsc#1164136 CVE-2020-1738 module package can be selected by the ansible
    facts
  • bsc#1164133 CVE-2020-1739 - svn module leaks password when specified as
    a parameter
  • bsc#1164135 CVE-2020-1740 - secrets readable after ansible-vault edit
  • bsc#1165393 CVE-2020-1746 - information disclosure issue in ldap_attr
    and ldap_entry modules
  • bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks sensitive
    information
  • bsc#1167532 CVE-2020-10684 - code injection when using ansible_facts as
    a subkey
  • bsc#1167440 CVE-2020-10685 - modules which use files encrypted with
    vault are not properly cleaned up
  • bsc#1167873 CVE-2020-10691 - archive traversal vulnerability in
    ansible-galaxy collection install [2]

Fixed before 2.9.6, but not yet listed:

  • bsc#1171162 CVE-2020-10729 two random password lookups in same task
    return same value
  • bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone module via
    crafted solaris zone
  • bsc#1157969 CVE-2019-14905 malicious code could craft filename in
    nxos_file_copy module
  • bsc#1112959 CVE-2018-16837 Information leak in “user” module patch added
  • (bsc#1137528) CVE-2019-10156: ansible: templating causing an
  • bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with
    no_log on (https://github.com/ansible/ansible/pull/49569)
  • Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
    from current working directory allowing possible code execution

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Backports SLE-15-SP3:

    zypper in -t patch openSUSE-2022-81=1

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.1 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:C/I:P/A:P