Bug 21902

Summary: ansible new security issue CVE-2017-7550
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
Source RPM: ansible-2.3.1.0-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2017-10-20 17:03:25 CEST 
RedHat has issued an advisory on October 19:
https://access.redhat.com/errata/RHSA-2017:2966

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-20 17:03:31 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Marja Van Waes 2017-10-22 16:32:28 CEST

CC: (none) => marja11

Comment 1 Bruno Cornec 2017-10-31 11:02:44 CET 
Updates made and pushed for all versions.

Status: NEW => ASSIGNED

Comment 2 David Walser 2017-10-31 11:11:24 CET 
Thanks Bruno!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=19740#c7

Advisory:
========================

Updated ansible package fixes security vulnerability:

A flaw was found in the way Ansible passed certain parameters to the
jenkins_plugin module. A remote attacker could use this flaw to expose
sensitive information from a remote host's logs. This flaw was fixed by not
allowing passwords to be specified in the "params" argument, and noting this
in the module documentation (CVE-2017-7550).

The ansible package has been updated to version 2.4.1 to fix this issue and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7550
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://access.redhat.com/errata/RHSA-2017:2966
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.1.0-1.1.mga5
ansible-2.4.1.0-1.1.mga6

from SRPMS:
ansible-2.4.1.0-1.1.mga5.src.rpm
ansible-2.4.1.0-1.1.mga6.src.rpm

Assignee: bruno => qa-bugs
CC: (none) => bruno
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

David Walser 2017-10-31 11:11:33 CET

Keywords: (none) => has_procedure

Comment 3 Len Lawrence 2017-11-01 17:17:13 CET 
Mageia 6 on x86_64.

Created a /tmp/hosts file containing the IP addresses of two machines on the LAN.
Used the ansible ping command successfully - see reference in comment 2.

Updated ansible.

$ ansible -i /tmp/hosts all -m ping
192.168.1.3 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
192.168.1.161 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}

If this is all that is required then ansible is OK.

CC: (none) => tarazed25

Len Lawrence 2017-11-01 17:18:11 CET

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 4 Len Lawrence 2017-11-01 18:23:21 CET 
Mageia 6 on i586 in virtualbox

Installed ansible and updated it.
Created new public RSA key and copied it to two hosts on the network.
$ cat .ssh/id_rsa.pub | ssh lcl@belexeuli 'cat >> .ssh/authorized_keys'
$ cat .ssh/id_rsa.pub | ssh lcl@hamal 'cat >> .ssh/authorized_keys'
Password:...........

Then ran the ansible test command.

$ ansible -i /tmp/hosts all -m ping
192.168.1.156 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
192.168.1.161 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}

OK for 32-bits.
Len Lawrence 2017-11-01 18:23:55 CET

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK

Comment 5 Len Lawrence 2017-11-01 18:53:00 CET 
Mageia 5 on x86_64

$ sudo urpmi ansible
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  python-babel                   1.3          8.mga5        noarch  
  python-ecdsa                   0.11         5.mga5        noarch  
  python-jinja2                  2.7.3        4.mga5        noarch  
  python-keyczar                 0.71c        5.mga5        noarch  
  python-markupsafe              0.23         6.mga5        x86_64  
  python-pytz                    2014.7       4.mga5        noarch  
  python-yaml                    3.10         10.mga5       x86_64  
(medium "Core Updates (distrib3)")
  ansible                        2.3.1.0      2.mga5        noarch  
  python-paramiko                1.15.2       1.1.mga5      noarch  
  python-pyasn1                  0.1.8        1.mga5        noarch  
  python-pycrypto                2.6.1        6.1.mga5      x86_64  

Generate a new RSA keypair and copied the public keys to two other hosts on the network and tested ansible.
Updated the package:
- ansible-2.4.1.0-1.1.mga5.noarch
- python-cffi-1.1.2-1.mga5.x86_64
- python-cryptography-1.0.2-1.1.mga5.x86_64
- python-enum34-1.0.4-1.mga5.noarch
- python-idna-2.0-1.mga5.noarch
- python-ipaddress-1.0.15-1.mga5.noarch
- python-ply-3.4-9.mga5.noarch
- python-pycparser-2.10-7.mga5.noarch
- python-six-1.7.3-4.mga5.noarch

$ ansible -i ~/tmp/hosts all -m ping
192.168.1.156 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
192.168.1.161 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}

OK for 64-bits.
Len Lawrence 2017-11-01 18:53:14 CET

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK

Lewis Smith 2017-11-02 09:14:58 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-11-02 22:48:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0399.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED