| Summary: | ansible new security issue CVE-2019-10156 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | bruno, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA6-64-OK MGA7-64-OK | ||
| Source RPM: | ansible-2.7.10-1.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2.6.18, 2.7.12 and 2.8.2 | ||
|
Description
David Walser
2019-08-12 01:26:47 CEST
David Walser
2019-08-12 01:27:03 CEST
Whiteboard:
(none) =>
MGA7TOO, MGA6TOO 2.8.2 pushed to cauldron. Status:
NEW =>
ASSIGNED
David Walser
2019-08-12 02:07:27 CEST
Whiteboard:
MGA7TOO, MGA6TOO =>
MGA6TOO 2.7.12 pushed to update_testing of mga7 mga6 has 2.4 so I suggest we update to 2.7.12 as well (I was using 2.7.10 myself before that update without issue on mga6). Sounds good. We've updated in the past without issues. 2.7.12 pushed to update_testing of mga6 as well. Moved to QA. Assignee:
bruno.cornec =>
qa-bugs
David Walser
2019-08-13 02:18:00 CEST
Whiteboard:
(none) =>
MGA6TOO Advisory: ======================== Updated ansible package fixes security vulnerability: A flaw was discovered in the way Ansible templating was implemented before version 2.7.12, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed (CVE-2019-10156). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156 https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst https://usn.ubuntu.com/4072-1/ ======================== Updated packages in core/updates_testing: ======================== ansible-2.7.12-1.mga6 ansible-2.7.12-1.mga7 from SRPMS: ansible-2.7.12-1.mga6.src.rpm ansible-2.7.12-1.mga7.src.rpm mga6, x86_64 Update failed because of missing package. # urpmi ansible A requested package cannot be installed: ansible-2.7.12-1.mga6.noarch (due to unsatisfied python3-jmespath) # urpmi python3-jmespath No package named python3-jmespath CC:
(none) =>
tarazed25 mga7, x86_64
The update installed cleanly.
~/tmp/hosts contains:
192.168.1.aaa
192.168.1.bbb
where aaa is a remote PC and bbb is the current machine.
$ ansible -i ~/tmp/hosts all -m ping
192.168.1.bbb | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: lcl@192.168.1.62: Permission denied (publickey,password,keyboard-interactive).",
"unreachable": true
}
192.168.1.aaa | SUCCESS => {
"changed": false,
"ping": "pong"
}
Yet on bbb;
$ ssh lcl@canopus
Password:
Last login: Fri Aug 16 19:19:24 2019 from 192.168.1.aaa
$ ansible all -a "/bin/echo hello"
[WARNING]: provided hosts list is empty, only localhost is available. Note
that the implicit localhost does not match 'all'
I am assuming that this is a PEBCAK problem. No idea how to proceed.
These tests used to succeed.
Of course, /etc/ansible/hosts needs to be set up first.
$ ansible all -a "/bin/echo hello"
192.168.1.bbb | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
"unreachable": true
}
192.168.1.aaa | CHANGED | rc=0 >>
hello
$ ansible all -u lcl -a "/home/lcl/bin/calco"
192.168.1.bbb | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
"unreachable": true
}
192.168.1.aaa | FAILED | rc=-6 >>
/usr/share/ruby/tk.rb:31:in `initialize': tcltklib: fail to Tk_Init(). no display name and no $DISPLAY environment variable (RuntimeError)
from /usr/share/ruby/tk.rb:31:in `initialize'
from /usr/share/ruby/tk.rb:1245:in `new'
from /usr/share/ruby/tk.rb:1245:in `block in <module:TkCore>'
Tcl_AsyncDelete: async handler deleted by the wrong threadnon-zero return code
I thought the '-u lcl' would have taken care of setting up the shell environment, but apparently not.
Something more straightforward works:
$ ansible all -u lcl -a "/home/lcl/bin/dayofweek 2019-08-16"
192.168.1.bbb | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).",
"unreachable": true
}
192.168.1.aaa | CHANGED | rc=0 >>
2019-08-16 is a Friday
At this simple level I would say this works. Any problems seem to be associated with the way access keys have been defined by the user. known_hosts always needs fixing after every new installation.
Len Lawrence
2019-08-17 03:52:44 CEST
Keywords:
(none) =>
feedback
Len Lawrence
2019-08-22 20:27:21 CEST
Whiteboard:
MGA6TOO =>
MGA6TOO MGA7-64-OK python-jmespath has been also pushed to updates_testing for mga6 Hope this will fix the install issue for good. mga7, x86_64 Thanks Bruno. ansible now updates cleanly and runs fine. Omitted localhost from /tmp/hosts and ran the primitive tests as in comment 8. They worked as expected, e.g. $ ansible all -u lcl -a "/home/lcl/bin/dayofweek 2019-08-24" 192.168.1.aaa | CHANGED | rc=0 >> 2019-08-24 is a Saturday That will have to do for 64-bits. Whiteboard:
MGA6TOO MGA7-64-OK =>
MGA6TOO MGA6-64-OK MGA7-64-OK Thanks Bruno. This python-jmespath doesn't quite look right though. The build produced three packages: python-jmespath-0.9.4-1.1.mga6 python2-jmespath-0.9.4-1.1.mga6 python3-jmespath-0.9.4-1.1.mga6 the second one shouldn't be there. I asked myself the question, but that was the way it was made for cauldron, so didn't thought I should change it. Of course I can if you say it's ok ;-) So I submitted a new version. Thanks, that's better. That package list would have been incorrect for Cauldron too (in that case the python2 and python3 ones should be there and the python- one shouldn't). Advisory: ======================== Updated ansible package fixes security vulnerability: A flaw was discovered in the way Ansible templating was implemented before version 2.7.12, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed (CVE-2019-10156). Also, python-jmespath was added as a new dependency in Mageia 6. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156 https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst https://usn.ubuntu.com/4072-1/ ======================== Updated packages in core/updates_testing: ======================== python-jmespath-0.9.4-1.2.mga6 python3-jmespath-0.9.4-1.2.mga6 ansible-2.7.12-1.mga6 ansible-2.7.12-1.mga7 from SRPMS: python-jmespath-0.9.4-1.2.mga6.src.rpm ansible-2.7.12-1.mga6.src.rpm ansible-2.7.12-1.mga7.src.rpm mga6, x86_64 Ran the update again against ansible-2.4.6. python3-jmespath was picked up as a dependency of ansible-2.7.12 but python-jmespath was not. It needed to be installed separately. Yes, they shouldn't both be a dependency. ansible is functioning OK for simple tests. letting the 64bit OK stand.
Thomas Backlund
2019-08-31 12:53:58 CEST
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0234.html Resolution:
(none) =>
FIXED |