Bug 23225 - ansible new security issue CVE-2018-10855
Summary: ansible new security issue CVE-2018-10855
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-24 22:52 CEST by David Walser
Modified: 2018-07-01 19:18 CEST (History)
3 users (show)

See Also:
Source RPM: ansible-2.5.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-24 22:52:40 CEST
Fedora has issued an advisory today (June 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILGCAZWUN7RSPO3IEB46IIDRMCI3ALP3/

The issue is fixed upstream in 2.4.5 and 2.5.5.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-24 22:52:52 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-06-25 06:42:26 CEST
Cauldron updated with 2.5.5

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2018-06-25 07:02:02 CEST
MGA6 testing_updates updated with 2.4.5.0.
Comment 3 Bruno Cornec 2018-06-25 07:12:52 CEST
MGA5 testing_updates updated with 2.4.5.0.

Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => MGA6TOO, MGA5TOO

Comment 4 David Walser 2018-06-25 12:42:48 CEST
Advisory:
========================

Updated ansible package fixes security vulnerability:

Ansible prior to 2.4.5 does not honor the no_log task flag for failed tasks.
When the no_log flag has been used to protect sensitive data passed to a task
from being logged, and that task does not run successfully, Ansible will expose
sensitive data in log files and on the terminal of the user running Ansible
(CVE-2018-10855).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10855
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ILGCAZWUN7RSPO3IEB46IIDRMCI3ALP3/
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.5.0-1.1.mga5
ansible-2.4.5.0-1.1.mga6

from SRPMS:
ansible-2.4.5.0-1.1.mga5.src.rpm
ansible-2.4.5.0-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 5 Herman Viaene 2018-06-27 16:16:51 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref to my test in bug Comment 10.
Created hosts file containing one remote IP address
at CLI:
$ ansible -i hosts -vvvv -u <remote user> all -m ping
skipping lots of feedback the result:
192.168.2.1 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "invocation": {
        "module_args": {
            "data": "pong"
        }
    }, 
    "ping": "pong"
}
Looks good

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 6 Herman Viaene 2018-06-29 11:02:36 CEST
that is bug 19740 comment 10
Comment 7 Herman Viaene 2018-06-29 11:15:11 CEST
MGA6-32 on IBM Thinkpad R50e MATE
no installation issues.
Same test and same result as comment 5 above.OK.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 8 Dave Hodgins 2018-07-01 00:31:25 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2018-07-01 19:18:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0303.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.