ESB-2018.3537 - [Debian] ansible: Access confidential data - Existing account 2018-11-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3537
                   [DLA 1576-1] ansible security update
                             13 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ansible
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16837  

Reference:         ESB-2018.3474
                   ESB-2018.3461

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ansible
Version        : 1.7.2+dfsg-2+deb8u1
CVE ID         : CVE-2018-16837
Debian Bug     : #912297

It was discovered that there was a potential SSH passphrase disclosure
vulnerability in the ansible configuration management system,

The "User" module leaked data that was passed as a parameter to the
ssh-keygen(1) utility, thus revealing any credentials in cleartext form
in the global process list.

For Debian 8 "Jessie", this issue has been fixed in ansible version
1.7.2+dfsg-2+deb8u1.

We recommend that you upgrade your ansible packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvpYiQACgkQHpU+J9Qx
HlhDWg/9Hz82c1ALOa5RRkaZbAOV0057vaxTQdpH3VjVOvfBtVI1L3PkRlcBd9rZ
Re+xbNm6bM766PeUkS/Nr195fQW2cxQhw0xRPdhcKkcLVShWK5WzmEvzDqT7WgO2
EsSXNDrDKYc9vFct2/IBM1xrlToNiMeoB87kZPYnav8MXwuquE4q/rPvI8EjHoYZ
C/w8iaSbwLwiNerexTC+ampARDKdH8QZtriUPifmFzRP2opFRXun2kGsxs+B9Dvi
Ly/tK30Awa6JgZqhdUMxIN/JiikUjAcFy+j95KGdU1dD5LF0OiMs/ew919A3KF5I
Hiiy/LlD4uZDCnXj2wBr/6r5NAZMFyeLwXS1DVBBiZt1Q0MEEsLUSnnsK/VYoD69
Z0dYSUoxJlthXgh490vw7H2sEXTk4BA8QaVPhjZ5o4shhEv9y6J6mBRan6mDkS0o
P93WsLyd9WLw2rGN9A4YhReNBbcT3ecIH27+Bfo6QySdx5dl+uim1Y0rBg+gbXuh
VIU82u56Lre+hp3BJZ2xVRszolkkjOwUcTr8NpvF0f6/9ue5p4kI1GSHcG46A0LE
ZVRwLlh67mfA2AUhfMhH17IoRLMAGYZIXKye/ZM8XsqPSvPTzL3P4t5O0vCJ/L0x
JT+CGCMtlKwRG/xa+Gyq9mFwNCdYuvItBn91R5iyuEUkZsmt0lY=
=M7Nd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+oRRGaOgq3Tt24GAQgi6RAA2ETq7OBKpOmh9qFQaP/GQWCJWS1I8RLD
1H4cHL2uTpfFmzgxAHEP3tghr9n5mVBhOIcLJQ6SQwi149hOIjG4VWQty3wY04ez
XIT+3BC13r/NdUKDGHaSalXm1YNEn/PtQ5JI3FIdq6zsH4yHsbyICRZTJmriQvYv
3ocd8jZhXQ6Md5uGcH7o4RbbZqeLkqJr4/v5F/pXyQ5N+HwZ1sBdpIRWLn3S/3I0
dSiHIhBOHulv1B7evFA6fnXBA544ZSxINJrn4rfjOB3Fuf6LPxYVMEuwptJjrdlJ
NGIR+i8N0CdSPCS61mKL2JAo159VBCa7qSz1KhzU8R36SrFqqKgsjvsDpzr8pwas
+j+up68LPU+qsmezpMeKOBuSluZ+57Utl6D8/W8Sfkhk4GXPFtt6AbZY4Hqo5jVh
Rgu9vv/cYD8Clyp/FxlLTUSkYtjyObARNwQOQQQSb6zERZAiykkDoLNcs8y3pvad
NygtnRa6cPnwJOnPFFKz+QjhHe+c3eWt3idbW6n7jDViaZruQxl4gPvULO0R5GnN
45MPogadFTG9QAelQjlnvalzPU/bl1pVU8fvCDQp6ZPwoeWW1oj8+fXWoolMFJkg
Yk1xJ+aPjGEATcvuQTdUiNF+3Jy1Gpw1AT0lbognDHK91bJ9NVhJmg4ob3+2Xl+R
gCDZ9XoCXLc=
=mqXP
-----END PGP SIGNATURE-----

« Back to bulletins