Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1595 ansible security update 6 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ansible Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Increased Privileges -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-1740 CVE-2020-1739 CVE-2020-1733 CVE-2019-14846 Reference: ESB-2020.1407 ESB-2020.0884 ESB-2019.3948 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html - --------------------------BEGIN INCLUDED TEXT-------------------- Package : ansible Version : 1.7.2+dfsg-2+deb8u3 CVE ID : CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740 Debian Bug : 942188 Several vulnerabilities were discovered in Ansible, a configuration management, deployment, and task execution system. CVE-2019-14846 Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. CVE-2020-1733 A race condition flaw was found when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p dir"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/pid/cmdline'. CVE-2020-1739 A flaw was found when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. CVE-2020-1740 A flaw was found when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. For Debian 8 "Jessie", these problems have been fixed in version 1.7.2+dfsg-2+deb8u3. We recommend that you upgrade your ansible packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrH98maOgq3Tt24GAQggfw/+NCRiaiHvK/ByegoWUL/cHRCgwGGwJPO+ QHqSMux8P77lGJ2BS8b5D83RxjrUsglA30yeyeUZ+WdYkXUBsYPDOmAW8mcv/ubC D+Tle/RBMyMSSjNXrMrMvaBGT/VKCvx6tvV3uvd6cwAAHsZCWo4LyydDKyuR/IL8 5Y6c0jPGVFYOxpMpEXEI8+Wr6EEMyg4luiKu456GC/ySk5bQXCz5yqQLbnbIBkQ/ cXWWvxRbe1u/E5+zOKqJKjTkS9MAQYIZJj0eTtl3OjrqfJPaBjcP6aFjidVSsFYN yr0uV6bukp9fB/J1tJ/XeJCMPe+FE8iG6w4NVsm79XizHId8XMzI9Nnr8Ucp5G5c pOe4hn/XLA6b1nXhnk2dVTL69qdU/kQtFwNNRdmovXn/PMh//b8xUMCbDCKK50N7 Q/YP2u3CpnjIAGT4ubOo6mwEBgE5kT8IGWnHyGTQA01zDSy246hUAXf0yvKO4QdA FLuKS6F6fT7CcSAMPk2SEL3BIn54T+jb+OEIBeDQTYj0q55u/fTeNOp8+Y4ZObW9 RJsvgErbY9jXv2yLFJ27E26qOMUycFyFDjDSG63PsoqOtDNKpE6eq6kWgJWpC1Le 6vvNjBWg2krcafN/uFrB3lKBgsnxS9DXJgPGwgWaxk00J2pcA77dypCDK4O/1TmU Y1q9VisJyb8= =K8nu -----END PGP SIGNATURE-----