Bug 21902 - ansible new security issue CVE-2017-7550
Summary: ansible new security issue CVE-2017-7550
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2017-10-20 17:03 CEST by David Walser
Modified: 2017-11-02 22:48 CET (History)
4 users (show)

See Also:
Source RPM: ansible-
Status comment:


Description David Walser 2017-10-20 17:03:25 CEST
RedHat has issued an advisory on October 19:

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-20 17:03:31 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Marja Van Waes 2017-10-22 16:32:28 CEST

CC: (none) => marja11

Comment 1 Bruno Cornec 2017-10-31 11:02:44 CET
Updates made and pushed for all versions.


Comment 2 David Walser 2017-10-31 11:11:24 CET
Thanks Bruno!

Testing procedure:


Updated ansible package fixes security vulnerability:

A flaw was found in the way Ansible passed certain parameters to the
jenkins_plugin module. A remote attacker could use this flaw to expose
sensitive information from a remote host's logs. This flaw was fixed by not
allowing passwords to be specified in the "params" argument, and noting this
in the module documentation (CVE-2017-7550).

The ansible package has been updated to version 2.4.1 to fix this issue and
several other bugs.


Updated packages in core/updates_testing:

from SRPMS:

Assignee: bruno => qa-bugs
CC: (none) => bruno
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

David Walser 2017-10-31 11:11:33 CET

Keywords: (none) => has_procedure

Comment 3 Len Lawrence 2017-11-01 17:17:13 CET
Mageia 6 on x86_64.

Created a /tmp/hosts file containing the IP addresses of two machines on the LAN.
Used the ansible ping command successfully - see reference in comment 2.

Updated ansible.

$ ansible -i /tmp/hosts all -m ping | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
} | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"

If this is all that is required then ansible is OK.

CC: (none) => tarazed25

Len Lawrence 2017-11-01 17:18:11 CET

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 4 Len Lawrence 2017-11-01 18:23:21 CET
Mageia 6 on i586 in virtualbox

Installed ansible and updated it.
Created new public RSA key and copied it to two hosts on the network.
$ cat .ssh/id_rsa.pub | ssh lcl@belexeuli 'cat >> .ssh/authorized_keys'
$ cat .ssh/id_rsa.pub | ssh lcl@hamal 'cat >> .ssh/authorized_keys'

Then ran the ansible test command.

$ ansible -i /tmp/hosts all -m ping | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
} | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"

OK for 32-bits.
Len Lawrence 2017-11-01 18:23:55 CET

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK

Comment 5 Len Lawrence 2017-11-01 18:53:00 CET
Mageia 5 on x86_64

$ sudo urpmi ansible
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  python-babel                   1.3          8.mga5        noarch  
  python-ecdsa                   0.11         5.mga5        noarch  
  python-jinja2                  2.7.3        4.mga5        noarch  
  python-keyczar                 0.71c        5.mga5        noarch  
  python-markupsafe              0.23         6.mga5        x86_64  
  python-pytz                    2014.7       4.mga5        noarch  
  python-yaml                    3.10         10.mga5       x86_64  
(medium "Core Updates (distrib3)")
  ansible                    2.mga5        noarch  
  python-paramiko                1.15.2       1.1.mga5      noarch  
  python-pyasn1                  0.1.8        1.mga5        noarch  
  python-pycrypto                2.6.1        6.1.mga5      x86_64  

Generate a new RSA keypair and copied the public keys to two other hosts on the network and tested ansible.
Updated the package:
- ansible-
- python-cffi-1.1.2-1.mga5.x86_64
- python-cryptography-1.0.2-1.1.mga5.x86_64
- python-enum34-1.0.4-1.mga5.noarch
- python-idna-2.0-1.mga5.noarch
- python-ipaddress-1.0.15-1.mga5.noarch
- python-ply-3.4-9.mga5.noarch
- python-pycparser-2.10-7.mga5.noarch
- python-six-1.7.3-4.mga5.noarch

$ ansible -i ~/tmp/hosts all -m ping | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
} | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"

OK for 64-bits.
Len Lawrence 2017-11-01 18:53:14 CET

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK

Lewis Smith 2017-11-02 09:14:58 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-11-02 22:48:05 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.