openSUSE Security Update: Security update for ansible
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:1858-1
Rating: moderate
References: #1109957 #1112959 #1118896 #1126503
Cross-References: CVE-2018-16837 CVE-2018-16859 CVE-2018-16876
CVE-2019-3828
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for ansible fixes the following issues:
Ansible was updated to version 2.8.1:
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
– Bugfixes
– ACI – DO not encode query_string
– ACI modules – Fix non-signature authentication
– Add missing directory provided via “–playbook-dir“ to adjacent
collection loading
– Fix “Interface not found” errors when using eos_l2_interface with
nonexistant interfaces configured
– Fix cannot get credential when `source_auth` set to `credential_file`.
– Fix netconf_config backup string issue
– Fix privilege escalation support for the docker connection plugin when
credentials need to be supplied (e.g. sudo with password).
– Fix vyos cli prompt inspection
– Fixed loading namespaced documentation fragments from collections.
– Fixing bug came up after running cnos_vrf module against coverity.
– Properly handle data importer failures on PVC creation, instead of
timing out.
– To fix the ios static route TC failure in CI
– To fix the nios member module params
– To fix the nios_zone module idempotency failure
– add terminal initial prompt for initial connection
– allow include_role to work with ansible command
– allow python_requirements_facts to report on dependencies containing
dashes
– asa_config fix
– azure_rm_roledefinition – fix a small error in build scope.
– azure_rm_virtualnetworkpeering – fix cross subscriptions virtual
network peering.
– cgroup_perf_recap – When not using file_per_task, make sure we don’t
prematurely close the perf files
– display underlying error when reporting an invalid “tasks:“ block.
– dnf – fix wildcard matching for state: absent
– docker connection plugin – accept version “dev“ as ‘newest version’
and print warning.
– docker_container – “oom_killer“ and “oom_score_adj“ options are
available since docker-py 1.8.0, not 2.0.0 as assumed by the version
check.
– docker_container – fix network creation when
“networks_cli_compatible“ is enabled.
– docker_container – use docker API’s “restart“ instead of
“stop“/“start“ to restart a container.
– docker_image – if “build“ was not specified, the wrong default for
“build.rm“ is used.
– docker_image – if “nocache“ set to “yes“ but not
“build.nocache“, the module failed.
– docker_image – module failed when “source: build“ was set but
“build.path“ options not specified.
– docker_network module – fix idempotency when using “aux_addresses“
in “ipam_config“.
– ec2_instance – make Name tag idempotent
– eos: don’t fail modules without become set, instead show message and
continue
– eos_config: check for session support when asked to ‘diff_against:
session’
– eos_eapi: fix idempotency issues when vrf was unspecified.
– fix bugs for ce – more info see
– fix incorrect uses of to_native that should be to_text instead.
– hcloud_volume – Fix idempotency when attaching a server to a volume.
– ibm_storage – Added a check for null fields in ibm_storage utils
module.
– include_tasks – whitelist “listen“ as a valid keyword
– k8s – resource updates applied with force work correctly now
– keep results subset also when not no_log.
– meraki_switchport – improve reliability with native VLAN functionality.
– netapp_e_iscsi_target – fix netapp_e_iscsi_target chap secret size and
clearing functionality
– netapp_e_volumes – fix workload profileId indexing when no previous
workload tags exist on the storage array.
– nxos_acl some platforms/versions raise when no ACLs are present
– nxos_facts fix <https://github.com/ansible/ansible/pull/57009>
– nxos_file_copy fix passwordless workflow
– nxos_interface Fix admin_state check for n6k
– nxos_snmp_traps fix group all for N35 platforms
– nxos_snmp_user fix platform fixes for get_snmp_user
– nxos_vlan mode idempotence bug
– nxos_vlan vlan names containing regex ctl chars should be escaped
– nxos_vtp_* modules fix n6k issues
– openssl_certificate – fix private key passphrase handling for
“cryptography“ backend.
– openssl_pkcs12 – fixes crash when private key has a passphrase and the
module is run a second time.
– os_stack – Apply tags conditionally so that the module does not throw
up an error when using an older distro of openstacksdk
– pass correct loading context to persistent connections other than local
– pkg_mgr – Ansible 2.8.0 failing to install yum packages on Amazon Linux
– postgresql – added initial SSL related tests
– postgresql – added missing_required_libs, removed excess param mapping
– postgresql – move connect_to_db and get_pg_version into
module_utils/postgres.py
(https://github.com/ansible/ansible/pull/55514)
– postgresql_db – add note to the documentation about state dump and the
incorrect rc (https://github.com/ansible/ansible/pull/57297)
– postgresql_db – fix for postgresql_db fails if stderr contains output
– postgresql_ping – fixed a typo in the module documentation
– preserve actual ssh error when we cannot connect.
– route53_facts – the module did not advertise check mode support,
causing it not to be run in check mode.
– sysctl: the module now also checks the output of STDERR to report if
values are correctly set
(https://github.com/ansible/ansible/pull/55695)
– ufw – correctly check status when logging is off
– uri – always return a value for status even during failure
– urls – Handle redirects properly for IPv6 address by not splitting on
“:“ and rely on already parsed hostname and port values
– vmware_vm_facts – fix the support with regular ESXi
– vyos_interface fix <https://github.com/ansible/ansible/pull/57169>
– we don’t really need to template vars on definition as we do this on
demand in templating.
– win_acl – Fix qualifier parser when using UNC paths –
– win_hostname – Fix non netbios compliant name handling
– winrm – Fix issue when attempting to parse CLIXML on send input failure
– xenserver_guest – fixed an issue where VM whould be powered off even
though check mode is used if reconfiguration requires VM to be powered
off.
– xenserver_guest – proper error message is shown when maximum number of
network interfaces is reached and multiple network interfaces are
added at
once.
– yum – Fix false error message about autoremove not being supported
– yum – fix failure when using “update_cache“ standalone
– yum – handle special “_none_” value for proxy in yum.conf and .repo
files
Update to version 2.8.0
Major changes:
* Experimental support for Ansible Collections and content namespacing –
Ansible content can now be packaged in a collection and addressed via
namespaces. This allows for easier sharing, distribution, and
installation
of bundled modules/roles/plugins, and consistent rules for accessing
specific content via namespaces.
* Python interpreter discovery – The first time a Python module runs on
a target, Ansible will attempt to discover the proper default Python
interpreter to use for the target platform/version (instead of
immediately defaulting to /usr/bin/python). You can override this
behavior by setting ansible_python_interpreter or via config. (see
https://github.com/ansible/ansible/pull/50163)
* become – The deprecated CLI arguments for –sudo, –sudo-user,
–ask-sudo-pass, -su, –su-user, and –ask-su-pass have been removed,
in favor of the more generic –become, –become-user,
–become-method, and
–ask-become-pass.
* become – become functionality has been migrated to a plugin
architecture, to allow customization of become functionality and 3rd
party become methods (https://github.com/ansible/ansible/pull/50991)
– addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs or
online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.
8.rst
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-1858=1
Package List:
– openSUSE Backports SLE-15-SP1 (noarch):
ansible-2.8.1-bp151.3.3.1
References:
https://www.suse.com/security/cve/CVE-2018-16837.html
https://www.suse.com/security/cve/CVE-2018-16859.html
https://www.suse.com/security/cve/CVE-2018-16876.html
https://www.suse.com/security/cve/CVE-2019-3828.html
https://bugzilla.suse.com/1109957
https://bugzilla.suse.com/1112959
https://bugzilla.suse.com/1118896
https://bugzilla.suse.com/1126503
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org