You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa ansible

Sigurnosni nedostaci programskog paketa ansible

openSUSE Security Update: Security update for ansible
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0523-1
Rating: moderate
References: #1137479 #1142542 #1142690 #1144453 #1153452
#1154231 #1154232 #1154830 #1157968 #1157969

Cross-References: CVE-2019-10206 CVE-2019-10217 CVE-2019-14846
CVE-2019-14856 CVE-2019-14858 CVE-2019-14864
CVE-2019-14904 CVE-2019-14905
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that solves 8 vulnerabilities and has two fixes
is now available.

Description:

This update for ansible to version 2.9.6 fixes the following issues:

Security issues fixed:

– CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted
solaris zone (boo#1157968).
– CVE-2019-14905: Fixed an issue where malicious code could craft filename
in nxos_file_copy module (boo#1157969).
– CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak
sensitive data in logs (boo#1154830).
– CVE-2019-14846: Fixed secrets disclosure on logs due to display is
hardcoded to DEBUG level (boo#1153452)
– CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232)
– CVE-2019-14858: Fixed data in the sub parameter fields that will not be
masked and will be displayed when run with increased verbosity
(boo#1154231)
– CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt
passwords by expanding them from templates as they could contain special
characters. Passwords should be wrapped to prevent templates trigger and
exposing them. (boo#1142690)
– CVE-2019-10217: Fields managing sensitive data should be set as such by
no_log feature. Some of these fields in GCP modules are not set
properly. service_account_contents() which is common class for all gcp
modules is not setting no_log to True. Any sensitive data managed by
that function would be leak as an output when running ansible playbooks.
(boo#1144453)

This update was imported from the openSUSE:Leap:15.1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2020-523=1

Package List:

– openSUSE Backports SLE-15-SP1 (noarch):

ansible-2.9.6-bp151.3.6.1
ansible-doc-2.9.6-bp151.3.6.1
ansible-test-2.9.6-bp151.3.6.1

References:

https://www.suse.com/security/cve/CVE-2019-10206.html
https://www.suse.com/security/cve/CVE-2019-10217.html
https://www.suse.com/security/cve/CVE-2019-14846.html
https://www.suse.com/security/cve/CVE-2019-14856.html
https://www.suse.com/security/cve/CVE-2019-14858.html
https://www.suse.com/security/cve/CVE-2019-14864.html
https://www.suse.com/security/cve/CVE-2019-14904.html
https://www.suse.com/security/cve/CVE-2019-14905.html
https://bugzilla.suse.com/1137479
https://bugzilla.suse.com/1142542
https://bugzilla.suse.com/1142690
https://bugzilla.suse.com/1144453
https://bugzilla.suse.com/1153452
https://bugzilla.suse.com/1154231
https://bugzilla.suse.com/1154232
https://bugzilla.suse.com/1154830
https://bugzilla.suse.com/1157968
https://bugzilla.suse.com/1157969


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci jezgre operacijskog sustava Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja ili izvršavanje proizvoljnog programskog...

Close