Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3537 [DLA 1576-1] ansible security update 13 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ansible Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-16837 Reference: ESB-2018.3474 ESB-2018.3461 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : ansible Version : 1.7.2+dfsg-2+deb8u1 CVE ID : CVE-2018-16837 Debian Bug : #912297 It was discovered that there was a potential SSH passphrase disclosure vulnerability in the ansible configuration management system, The "User" module leaked data that was passed as a parameter to the ssh-keygen(1) utility, thus revealing any credentials in cleartext form in the global process list. For Debian 8 "Jessie", this issue has been fixed in ansible version 1.7.2+dfsg-2+deb8u1. We recommend that you upgrade your ansible packages. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvpYiQACgkQHpU+J9Qx HlhDWg/9Hz82c1ALOa5RRkaZbAOV0057vaxTQdpH3VjVOvfBtVI1L3PkRlcBd9rZ Re+xbNm6bM766PeUkS/Nr195fQW2cxQhw0xRPdhcKkcLVShWK5WzmEvzDqT7WgO2 EsSXNDrDKYc9vFct2/IBM1xrlToNiMeoB87kZPYnav8MXwuquE4q/rPvI8EjHoYZ C/w8iaSbwLwiNerexTC+ampARDKdH8QZtriUPifmFzRP2opFRXun2kGsxs+B9Dvi Ly/tK30Awa6JgZqhdUMxIN/JiikUjAcFy+j95KGdU1dD5LF0OiMs/ew919A3KF5I Hiiy/LlD4uZDCnXj2wBr/6r5NAZMFyeLwXS1DVBBiZt1Q0MEEsLUSnnsK/VYoD69 Z0dYSUoxJlthXgh490vw7H2sEXTk4BA8QaVPhjZ5o4shhEv9y6J6mBRan6mDkS0o P93WsLyd9WLw2rGN9A4YhReNBbcT3ecIH27+Bfo6QySdx5dl+uim1Y0rBg+gbXuh VIU82u56Lre+hp3BJZ2xVRszolkkjOwUcTr8NpvF0f6/9ue5p4kI1GSHcG46A0LE ZVRwLlh67mfA2AUhfMhH17IoRLMAGYZIXKye/ZM8XsqPSvPTzL3P4t5O0vCJ/L0x JT+CGCMtlKwRG/xa+Gyq9mFwNCdYuvItBn91R5iyuEUkZsmt0lY= =M7Nd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+oRRGaOgq3Tt24GAQgi6RAA2ETq7OBKpOmh9qFQaP/GQWCJWS1I8RLD 1H4cHL2uTpfFmzgxAHEP3tghr9n5mVBhOIcLJQ6SQwi149hOIjG4VWQty3wY04ez XIT+3BC13r/NdUKDGHaSalXm1YNEn/PtQ5JI3FIdq6zsH4yHsbyICRZTJmriQvYv 3ocd8jZhXQ6Md5uGcH7o4RbbZqeLkqJr4/v5F/pXyQ5N+HwZ1sBdpIRWLn3S/3I0 dSiHIhBOHulv1B7evFA6fnXBA544ZSxINJrn4rfjOB3Fuf6LPxYVMEuwptJjrdlJ NGIR+i8N0CdSPCS61mKL2JAo159VBCa7qSz1KhzU8R36SrFqqKgsjvsDpzr8pwas +j+up68LPU+qsmezpMeKOBuSluZ+57Utl6D8/W8Sfkhk4GXPFtt6AbZY4Hqo5jVh Rgu9vv/cYD8Clyp/FxlLTUSkYtjyObARNwQOQQQSb6zERZAiykkDoLNcs8y3pvad NygtnRa6cPnwJOnPFFKz+QjhHe+c3eWt3idbW6n7jDViaZruQxl4gPvULO0R5GnN 45MPogadFTG9QAelQjlnvalzPU/bl1pVU8fvCDQp6ZPwoeWW1oj8+fXWoolMFJkg Yk1xJ+aPjGEATcvuQTdUiNF+3Jy1Gpw1AT0lbognDHK91bJ9NVhJmg4ob3+2Xl+R gCDZ9XoCXLc= =mqXP -----END PGP SIGNATURE-----