-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1379
                     Ansible security update (2.9.20)
                               23 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ansible
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3447  

Reference:         ESB-2021.1207

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:1342
   https://access.redhat.com/errata/RHSA-2021:1343

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Ansible security update (2.9.20)
Advisory ID:       RHSA-2021:1342-01
Product:           Red Hat Ansible Engine
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1342
Issue date:        2021-04-22
CVE Names:         CVE-2021-3447 
=====================================================================

1. Summary:

An update for ansible is now available for Ansible Engine 2

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Ansible Engine 2 for RHEL 7 - noarch
Red Hat Ansible Engine 2 for RHEL 8 - noarch

3. Description:

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

The following packages have been upgraded to a newer upstream version:
ansible (2.9.20)

Bug Fix(es):
* CVE-2021-3447 ansible: multiple modules expose secured values

See:
https://github.com/ansible/ansible/blob/v2.9.20/changelogs/CHANGELOG-v2.9.r
st
for details on bug fixes in this release.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1939349 - CVE-2021-3447 ansible: multiple modules expose secured values

6. Package List:

Red Hat Ansible Engine 2 for RHEL 7:

Source:
ansible-2.9.20-1.el7ae.src.rpm

noarch:
ansible-2.9.20-1.el7ae.noarch.rpm
ansible-test-2.9.20-1.el7ae.noarch.rpm

Red Hat Ansible Engine 2 for RHEL 8:

Source:
ansible-2.9.20-1.el8ae.src.rpm

noarch:
ansible-2.9.20-1.el8ae.noarch.rpm
ansible-test-2.9.20-1.el8ae.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3447
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIHl39zjgjWX9erEAQjimg//QsHMlvh/uqHNmTOe9IZH97HYNYWVnmaZ
ZEDBjHBcMC2OgJ2EwrG1T+3/eQMNJ3Gdze2h7zes9BOzgMlc8sbfq4BqZErMp6XI
L0RXQmwVFPJQsAZNuMe2Z8tDXR3uVZtWlfuXQjnrzb22399dT0kkE/nHVnNy5oVf
4I1IAGqtTCUf1dkIN+DrEV8Hc1Qrm/6uPzWadIqtzWG3geuTbIOHW8aDlG4wfnAu
uAHLtGZFV+dQtQSCTx3ktfvhEDzw0O2LJWZ5cfaKXMA3Fjsk5D9W/SQzZxVRxkdf
VDbxsWms/vYKtFFNfzNitiL41lPbtGRHon60J+VNO/liw6xHa9kzk5V37SigudLr
QVdxK7GYOK0uoAXUqEFoFnykap3waLv357OZQ1tMjUXmgq4uHuyhVWeGO7pQRklk
q6X/d8bfP1izo4VrbJlB4gssZxFTuFeYmSRpRsj6/cJbznQ01R5gM54/diUXxyWw
KOLsgYMG3WWSm8/aTOsuGK2xg+4wG7zHXcGR3Tetvihz0/OpxXlTmM+2VqVoJdUS
UMMYhZJ7mt7uB/1GD7oTyckDVEx1qt9WlGuc7AAXtuBx3fmrJrFLYrTZ0vw/vM1X
lwppV1oQhFdIgw9zmx094rCoOT5ATVbrFRupBB1StjgpOZf0E4iEQhcV1Ml1FBVJ
0/HGlRw9dm8=
=ptIQ
- -----END PGP SIGNATURE-----

- -------------------------------------------------------------------------------
Subject:	[RHSA-2021:1343-01] Moderate: Ansible security update (2.9.20)
From:	"Security announcements for all Red Hat products and services." <rhsa-announce@redhat.com>
Reply-To:	rhsa-announce@redhat.com
Date:	Thu, 22 Apr 2021 17:08:25 -0400
To:	rhsa-announce@redhat.com


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Ansible security update (2.9.20)
Advisory ID:       RHSA-2021:1343-01
Product:           Red Hat Ansible Engine
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1343
Issue date:        2021-04-22
CVE Names:         CVE-2021-3447 
=====================================================================

1. Summary:

An update for ansible is now available for Ansible Engine 2.9

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Ansible Engine 2.9 for RHEL 7 Server - noarch
Red Hat Ansible Engine 2.9 for RHEL 8 - noarch

3. Description:

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

The following packages have been upgraded to a newer upstream version:
ansible (2.9.20)

Bug Fix(es):
* CVE-2021-3447 ansible: multiple modules expose secured values

See:
https://github.com/ansible/ansible/blob/v2.9.20/changelogs/CHANGELOG-v2.9.r
st
for details on bug fixes in this release.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1939349 - CVE-2021-3447 ansible: multiple modules expose secured values

6. Package List:

Red Hat Ansible Engine 2.9 for RHEL 7 Server:

Source:
ansible-2.9.20-1.el7ae.src.rpm

noarch:
ansible-2.9.20-1.el7ae.noarch.rpm
ansible-test-2.9.20-1.el7ae.noarch.rpm

Red Hat Ansible Engine 2.9 for RHEL 8:

Source:
ansible-2.9.20-1.el8ae.src.rpm

noarch:
ansible-2.9.20-1.el8ae.noarch.rpm
ansible-test-2.9.20-1.el8ae.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3447
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIHlwtzjgjWX9erEAQicxg/+NEJd919VLSEds09vMsyLYdGgoBo/iPzT
ZysrKG6d3itGhQOgnAnIWWz14zwVKkR919mbmdHVffnUbBlYBPbfYxKVKDH+dcBY
OIwB8XR6WBpGGY/xDrMxK4Z7+YZcSjRSII+1dxRhPUSYkrFHcDXtf0vSztbq6jte
I1iZD0wG5LJNMR5s0PAOX7Mq/F7PavmBdnnEe27NRbd9+oC1P4ar5onevEbvKH5n
4TX91AJ7x0XQihTQFSo/GnB5cEN8sWMCpObT+Cq1wf0TpC4dWsGYzVxBw0B0o8d6
PRTQTr1WXGHEOBCBmDdTvY9wBHdsEDg/GbJzKj/YMlsReSc6qDBkz+UNoQWg1zHb
KKDntdQY5CkfMNV10z3W85v8q80AghVlrxaD3NuQlrxY9znymghPPCfzqGoKszPU
m3utFYfZY4QleFfhIrU1FfyylvlL9LmTFEqSiQN0F8gkovotKI+Z+pfjEBv6xPVF
PBEgipl3XFfZ5tg9gLNtwuVsBahGj6hydCgCN56IH3csh8v/RFI9vda5XxanP19U
CHpmkB175C6/cPoImW5e4pdsHRpJ723HjXzo8h3iB+8iPgtrOmq2HkntIJs6/tp9
BYIo0AAK0im2VdkkhJ2SvzlDRepPxQUBIQ8LKTTuCO26p9QwUj3SGCJdAik+R9FX
wo7j6o3mtmI=
=1JzD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIJBDuNLKJtyKPYoAQjgRw/+JOaTlS6Hyr7IYDYys5a09erkt2v4k8P3
0JMcMeVsp14Zs9Z58KadzjaXy3Hnq2CriCCWEhh4/vFU0Pw1YirjsfxRQKDUv8Am
AlhFQ25GLqdKom191sSDm0HSV3hAC9iehaqd6mD4yvtpVbE+BSuH8U5ZA/jfOFAs
1heQ7H2O/29/zLWfmA2g3d2Hvi+IUu9wg9WX7G9n0ASzlygInzNZxGWiFOAwDjGa
q1KKZtvTW5gURr+svwFWzQjoNq6DegoNubTbYai+9Kq98Wy0h7VryAy6Sg0D1ktZ
b1nM/YTXwYmN/98t3quv3Mz4QW0vte+d3lB/nArzxn1WMFyiX7DUTpNT6Cq9venY
BtjylUucoQeobQKzH8xQ1bMgI3uW9JkesWN4EFAOyEg7quCEpvRKN6LjktfvLiXU
2mOadZI3Y/P2hGhV2s8+KyBO0FBTPXW0Pn4jR41Le/BT75laYeycwwJNawI2MDX1
y356fldzUs/r2YyM/Uno5dT6tAZ7F8xbjuLqWZOP2vB78Fq0Bt+/1pL1AeeCzi0u
N7N7/nDexMo3G5vnYKHcG19opmDEYc1HtsewnPixTWNF6xGJpnifYyKcpsILHDnq
WDuzD9ijgcryMVB/FlfLvpG2N1ZAr/0Jtdu6Xuu+0UJrinfHGiG/zW5rBzRUhkA/
lgKQ7GeZaL8=
=lq7y
-----END PGP SIGNATURE-----