Bug 19740 - ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7466
Summary: ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 5
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705915/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-08 18:21 CET by David Walser
Modified: 2017-06-10 09:01 CEST (History)
7 users (show)

See Also:
Source RPM: ansible-1.9.6-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-11-08 18:21:45 CET
Fedora has issued an advisory on November 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/

The issues are fixed upstream in 2.2.0.0.

Mageia 5 may also be affected.
David Walser 2016-11-08 18:21:51 CET

Whiteboard: (none) => MGA5TOO

David Walser 2016-11-08 18:22:02 CET

Severity: normal => major

Comment 1 Bruno Cornec 2016-11-20 23:53:03 CET
From https://bugzilla.redhat.com/show_bug.cgi?id=1388113 version 1.9 is not affected by CVE-2016-8628
Comment 2 Bruno Cornec 2016-11-20 23:57:32 CET
The other CVE is also valid for 1.9 per https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96 and https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96

I'll look at applying these to our 1.9 version in order to avoid upgrading it to 2.2.0.0 and create migration issues.
Comment 3 Nicolas Lécureuil 2016-11-26 19:45:14 CET
removing cauldron, as we have version 2.2.0.0 in cauldron.

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 Bruno Cornec 2017-01-03 02:30:52 CET
Seems I messed up the ref upper, and missed the second one which is:
https://github.com/ansible/ansible-modules-core/commit/08017c2be0991877bd4bb6d14ba2ff9450f17184

Status: NEW => ASSIGNED

Comment 5 Bruno Cornec 2017-01-03 11:43:00 CET
Uploaded a version to updates_testing
Seems that only one patch was needed the other one was already part of the code.

Assignee: bruno => qa-bugs
Source RPM: ansible-2.1.1.0-1.mga6.src.rpm => ansible-1.9.6-1.mga5.src.rpm

Comment 6 Rémi Verschelde 2017-01-05 10:35:27 CET
Please don't forget to post the advisory here Bruno (and if you also uploaded it to SVN yourself, mark that on the whiteboard): https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
Comment 7 Lewis Smith 2017-01-07 21:24:24 CET
For basic testing, this needs a couple of networked computers with ssh access using ssh key. The procedure below is taken from:
 https://bugs.mageia.org/show_bug.cgi?id=16309#c9    [thanks Philippe]
 https://bugs.mageia.org/show_bug.cgi?id=16309#c12   [thanks Shlomi]
---
create a file, for example /tmp/hosts with the ip address if the distant box:
 $ cat /tmp/hosts 
192.168.0.51
 $ ansible -i /tmp/hosts all -m ping
192.168.0.51 | success >> {
    "changed": false, 
    "ping": "pong"
}

Another example:
 $ cat /tmp/hosts 
10.0.0.5
10.0.0.10
 $ ansible -i /tmp/hosts all -m ping
10.0.0.5 | success >> {
    "changed": false,
    "ping": "pong"
}

10.0.0.10 | success >> {
    "changed": false,
    "ping": "pong"
}
---

CC: (none) => lewyssmith
Whiteboard: (none) => has_procedure

Comment 8 Herman Viaene 2017-01-13 15:43:00 CET
MGA5-32 on AcerD620 Xfce
No installation issues
I fail to understand this.I generated on the test laptop
[xxxx@yyyy .ssh]$ ssh-keygen -t rsa
no passphrase used
then
[xxxx@yyyy .ssh]$ ssh-copy-id aaaa@bbbb
Password: 
Now try logging into the machine, with "ssh 'aaaa@bbbb'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

note that the users xxxx and aaaa are not the same
then

[xxxx@yyyy .ssh]$ ssh 'aaaa@bbbb'
Last login: Fri Jan 13 09:59:45 2017
[aaaa@bbbb ~]$ exit
logout
[3;J
Connection to bbbb closed.
[xxxx@yyyy .ssh]$ ansible -vvvv -i /tmp/hosts all -m ping
<192.168.2.1> ESTABLISH CONNECTION FOR USER: xxxx
<192.168.2.1> REMOTE_MODULE ping
<192.168.2.1> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/tester5/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 192.168.2.1 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && echo $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196'
192.168.2.1 | FAILED => SSH Error: Permission denied (publickey,password,keyboard-interactive).
    while connecting to 192.168.2.1:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

note that 192.168.2.1 is in the /tmp/hosts file

CC: (none) => herman.viaene

Comment 9 Philippe Makowski 2017-01-13 16:34:37 CET
in your case you should then use :
[xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping

CC: (none) => makowski.mageia

Comment 10 Herman Viaene 2017-01-14 10:48:37 CET
Tx Philippe, that did the trick, now I get
[xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping
bbbbb | success >> {
    "changed": false,
    "ping": "pong"
}

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 11 Lewis Smith 2017-01-14 20:56:18 CET
Please provide an advisory. TIA.
And thanks Herman for your test.
Comment 12 David Walser 2017-01-14 21:21:28 CET
Advisory:
========================

Updated ansible packages fix security vulnerability:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
Comment 13 Lewis Smith 2017-01-15 12:27:26 CET
Advisory uploades, but it *lacks the SRPM*. Please can someone add that to it.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 14 David Walser 2017-01-26 00:02:36 CET
Fedora has issued an advisory today (January 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/

Ansible 2.2.1 fixes at least two more security issues.

CC: (none) => qa-bugs
Version: 5 => Cauldron
Assignee: qa-bugs => bruno
Summary: ansible new security issues CVE-2016-8614 and CVE-2016-8628 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587
Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5TOO

Comment 15 David Walser 2017-01-27 00:21:51 CET
CVE-2016-8647:
https://lwn.net/Vulnerabilities/712665/

CVE-2016-9587:
https://lwn.net/Vulnerabilities/712658/
Comment 16 Philippe Makowski 2017-01-27 10:07:44 CET
(In reply to David Walser from comment #15)
> CVE-2016-8647:
> https://lwn.net/Vulnerabilities/712665/
> 
> CVE-2016-9587:
> https://lwn.net/Vulnerabilities/712658/

https://bugs.mageia.org/show_bug.cgi?id=20115
Comment 17 David Walser 2017-04-17 22:23:30 CEST
Fedora has issued an advisory today (April 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/

It fixes a new issue, CVE-2017-7466.

Summary: ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7466

Comment 18 Bruno Cornec 2017-05-11 01:33:51 CEST
Hello,

Sorry for being late :-( I have now uploaded 2.3.0.0 to cauldron ans asked for a freeze push. That will fix these issues. 

Now what do you want we do for mga5 ? Should I backport it ? (I'm currently using 2.1.1.0 on mga5 without issues)
Comment 19 David Walser 2017-05-11 12:09:18 CEST
It's up to you.  If updating it fixes all of the remaining issues and that's easier than backporting the remaining patches, that's fine.  We've updated ansible in the past without issues.

Version: Cauldron => 5
Whiteboard: has_procedure MGA5TOO => has_procedure

Comment 20 Bruno Cornec 2017-06-06 20:08:53 CEST
I've pushed ansible 2.3.0.0 for mga5 as well now.
Comment 21 David Walser 2017-06-07 02:19:44 CEST
If CVE-2016-9587 didn't affect Mageia 5, then CVE-2017-7466 wouldn't either (as it's for an incomplete fix for the former), so not listing it in the advisory.  Keep in mind that the advisory in SVN needs to be updated accordingly.

Bruno, if I recall correctly, we needed to update Cauldron from 2.3.0.0 to 2.3.1.0 to fix a regression.  Shouldn't we do the same here?

Advisory:
========================

Updated ansible packages fix security vulnerabilities:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

It is reported that in Ansible, under some circumstances the mysql_user module
may fail to correctly change a password. Thus an old password may still be
active when it should have been changed (CVE-2016-8647).

The ansible package has been updated to version 2.3 to fix these issues and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647
https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/
========================

Updated packages in core/updates_testing:
========================
ansible-2.3.0.0-2.mga5

from ansible-2.3.0.0-2.mga5.src.rpm
Comment 22 Lewis Smith 2017-06-07 22:52:38 CEST
It looks as if this update needs to be recycled for re-testing. It is not currently in madb/tools/updates. I will revise the Advisory.
Comment 23 David Walser 2017-06-08 00:17:56 CEST
Bruno hasn't assigned it back to QA yet.  I'm waiting to see if we need to update it again.
Comment 24 Lewis Smith 2017-06-08 09:05:20 CEST
Thanks for the clarification. I shall leave the defunct Advisory alone until then.
Comment 25 Bruno Cornec 2017-06-09 01:47:33 CEST
Updated to 2.3.1.0 as well in parity with cauldron now.

Target Milestone: --- => Mageia 5
Assignee: bruno => qa-bugs

Comment 26 David Walser 2017-06-09 16:16:38 CEST
Thanks, and wouldn't you know that 2.3.1 has another security fix.  Please do try to reset the release tag to 1 in the future when upgrading a package for stable.

Advisory:
========================

Updated ansible packages fix security vulnerabilities:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

It is reported that in Ansible, under some circumstances the mysql_user module
may fail to correctly change a password. Thus an old password may still be
active when it should have been changed (CVE-2016-8647).

Data for lookup plugins used as variables was not being correctly marked as
"unsafe" (CVE-2017-7481).

The ansible package has been updated to version 2.3.1 to fix these issues and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481
https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/
========================

Updated packages in core/updates_testing:
========================
ansible-2.3.1.0-2.mga5

from ansible-2.3.1.0-2.mga5.src.rpm

CC: (none) => bruno

David Walser 2017-06-09 16:16:47 CEST

CC: qa-bugs => (none)

Comment 27 Lewis Smith 2017-06-09 21:00:54 CEST
Advisory updated from Comment 26.

Whiteboard: has_procedure => has_procedure advisory

Comment 28 Dave Hodgins 2017-06-10 01:21:11 CEST
Testing on x86_64.
I use non standard ports for ssh to avoid having script kiddies fill my logs. In my test, the word munged is replaced by the port number I use for that host.
in the below example.
$ echo '192.168.10.101:munged'>/tmp/hosts
$ ansible -i /tmp/hosts all -m ping
192.168.10.101 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

Tested on i586 with same results. I did note that it has added requires ...
# urpmi ansible
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  libdbusglib-gir1.0             1.42.0       3.mga5        i586    
(medium "Core Updates (distrib3)")
  libnetworkmanager-gir1.0       1.0.12       1.1.mga5      i586    
  libnm-glib4                    1.0.12       1.1.mga5      i586    
  libnm-util2                    1.0.12       1.1.mga5      i586    
  libnm0                         1.0.12       1.1.mga5      i586    
  libnmclient-gir1.0             1.0.12       1.1.mga5      i586    
(medium "Core Updates Testing (distrib5)")
  ansible                        2.3.1.0      2.mga5        noarch

Same results in testing before and after installing the updated version.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 29 Mageia Robot 2017-06-10 09:01:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0164.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.