Bug 23225

Summary: ansible new security issue CVE-2018-10855
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Source RPM: ansible-2.5.2-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-06-24 22:52:40 CEST 
Fedora has issued an advisory today (June 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILGCAZWUN7RSPO3IEB46IIDRMCI3ALP3/

The issue is fixed upstream in 2.4.5 and 2.5.5.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-24 22:52:52 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-06-25 06:42:26 CEST 
Cauldron updated with 2.5.5

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2018-06-25 07:02:02 CEST 
MGA6 testing_updates updated with 2.4.5.0.
Comment 3 Bruno Cornec 2018-06-25 07:12:52 CEST 
MGA5 testing_updates updated with 2.4.5.0.

Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => MGA6TOO, MGA5TOO

Comment 4 David Walser 2018-06-25 12:42:48 CEST 
Advisory:
========================

Updated ansible package fixes security vulnerability:

Ansible prior to 2.4.5 does not honor the no_log task flag for failed tasks.
When the no_log flag has been used to protect sensitive data passed to a task
from being logged, and that task does not run successfully, Ansible will expose
sensitive data in log files and on the terminal of the user running Ansible
(CVE-2018-10855).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10855
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILGCAZWUN7RSPO3IEB46IIDRMCI3ALP3/
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.5.0-1.1.mga5
ansible-2.4.5.0-1.1.mga6

from SRPMS:
ansible-2.4.5.0-1.1.mga5.src.rpm
ansible-2.4.5.0-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 5 Herman Viaene 2018-06-27 16:16:51 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref to my test in bug Comment 10.
Created hosts file containing one remote IP address
at CLI:
$ ansible -i hosts -vvvv -u <remote user> all -m ping
skipping lots of feedback the result:
192.168.2.1 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "invocation": {
        "module_args": {
            "data": "pong"
        }
    }, 
    "ping": "pong"
}
Looks good

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 6 Herman Viaene 2018-06-29 11:02:36 CEST 
that is bug 19740 comment 10
Comment 7 Herman Viaene 2018-06-29 11:15:11 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
no installation issues.
Same test and same result as comment 5 above.OK.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 8 Dave Hodgins 2018-07-01 00:31:25 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2018-07-01 19:18:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0303.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED