Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1595
ansible security update
6 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ansible
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Increased Privileges -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1740 CVE-2020-1739 CVE-2020-1733
CVE-2019-14846
Reference: ESB-2020.1407
ESB-2020.0884
ESB-2019.3948
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Package : ansible
Version : 1.7.2+dfsg-2+deb8u3
CVE ID : CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740
Debian Bug : 942188
Several vulnerabilities were discovered in Ansible, a configuration
management, deployment, and task execution system.
CVE-2019-14846
Ansible was logging at the DEBUG level which lead to a disclosure
of credentials if a plugin used a library that logged credentials
at the DEBUG level. This flaw does not affect Ansible modules, as
those are executed in a separate process.
CVE-2020-1733
A race condition flaw was found when running a playbook with an
unprivileged become user. When Ansible needs to run a module with
become user, the temporary directory is created in /var/tmp. This
directory is created with "umask 77 && mkdir -p dir"; this
operation does not fail if the directory already exists and is
owned by another user. An attacker could take advantage to gain
control of the become user as the target directory can be
retrieved by iterating '/proc/pid/cmdline'.
CVE-2020-1739
A flaw was found when a password is set with the argument
"password" of svn module, it is used on svn command line,
disclosing to other users within the same node. An attacker could
take advantage by reading the cmdline file from that particular
PID on the procfs.
CVE-2020-1740
A flaw was found when using Ansible Vault for editing encrypted
files. When a user executes "ansible-vault edit", another user on
the same computer can read the old and new secret, as it is
created in a temporary file with mkstemp and the returned file
descriptor is closed and the method write_data is called to write
the existing secret in the file. This method will delete the file
before recreating it insecurely.
For Debian 8 "Jessie", these problems have been fixed in version
1.7.2+dfsg-2+deb8u3.
We recommend that you upgrade your ansible packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrH98maOgq3Tt24GAQggfw/+NCRiaiHvK/ByegoWUL/cHRCgwGGwJPO+
QHqSMux8P77lGJ2BS8b5D83RxjrUsglA30yeyeUZ+WdYkXUBsYPDOmAW8mcv/ubC
D+Tle/RBMyMSSjNXrMrMvaBGT/VKCvx6tvV3uvd6cwAAHsZCWo4LyydDKyuR/IL8
5Y6c0jPGVFYOxpMpEXEI8+Wr6EEMyg4luiKu456GC/ySk5bQXCz5yqQLbnbIBkQ/
cXWWvxRbe1u/E5+zOKqJKjTkS9MAQYIZJj0eTtl3OjrqfJPaBjcP6aFjidVSsFYN
yr0uV6bukp9fB/J1tJ/XeJCMPe+FE8iG6w4NVsm79XizHId8XMzI9Nnr8Ucp5G5c
pOe4hn/XLA6b1nXhnk2dVTL69qdU/kQtFwNNRdmovXn/PMh//b8xUMCbDCKK50N7
Q/YP2u3CpnjIAGT4ubOo6mwEBgE5kT8IGWnHyGTQA01zDSy246hUAXf0yvKO4QdA
FLuKS6F6fT7CcSAMPk2SEL3BIn54T+jb+OEIBeDQTYj0q55u/fTeNOp8+Y4ZObW9
RJsvgErbY9jXv2yLFJ27E26qOMUycFyFDjDSG63PsoqOtDNKpE6eq6kWgJWpC1Le
6vvNjBWg2krcafN/uFrB3lKBgsnxS9DXJgPGwgWaxk00J2pcA77dypCDK4O/1TmU
Y1q9VisJyb8=
=K8nu
-----END PGP SIGNATURE-----