| Summary: | ansible new security issues CVE-2019-14904 and CVE-2019-14905 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | ansible-2.7.15-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-01-23 23:02:30 CET
ansible 2.7.16 is now in mga7 updates_testing. Assignee:
bruno =>
qa-bugs Advisory: ======================== Updated ansible package fixes security vulnerabilities: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host (CVE-2019-14904). A vulnerability in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues (CVE-2019-14905). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14905 https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst https://access.redhat.com/errata/RHSA-2020:0217 ======================== Updated packages in core/updates_testing: ======================== ansible-2.7.16-1.mga7 from ansible-2.7.16-1.mga7.src.rpm CC:
(none) =>
bruno Mageia7 x86_64
Updated ansible and installed sshpass.
Set up a temporary hosts file containing three LAN addresses including localhost. The following test fails for the local machine if its IP address is used.
$ ansible -k -i /tmp/hosts all -m ping
SSH password:
192.168.1.aaa | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.1.bbb | SUCCESS => {
"changed": false,
"ping": "pong"
}
127.0.0.1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
$ ansible -k -i /tmp/hosts all -a "/home/lcl/bin/chex"
SSH password:
192.168.1.bbb | CHANGED | rc=0 >>
192.168.1.aaa | CHANGED | rc=0 >>
127.0.0.1 | CHANGED | rc=0 >>
That showed a widget centre screen on all three machines. The CHANGED message comes up as each widget is closed.
However, the following command does not work very well, because it seems to want to act as a reverse terminal. It shows the Mate terminal with the inxi output for one of the remote hosts on the local monitor and then crashes. This has something to do with ssh and known_hosts AFAICS so does not reflect on ansible.
$ ansible -k -i ~/tmp/hosts all -a "mate-terminal -e 'inxi -b'"
SSH password:
.....
192.168.1.aaa | FAILED | rc=255 >>
non-zero return code
As far as these tests go ansible seems to be working as designed.Whiteboard:
(none) =>
MGA7-64-OK Taking your word for it, Len. Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Lewis Smith
2020-01-27 20:28:38 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0060.html Resolution:
(none) =>
FIXED |