Bug 23321 - ansible new security issues CVE-2018-1087[45]
Summary: ansible new security issues CVE-2018-1087[45]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-07-17 16:06 CEST by David Walser
Modified: 2018-11-11 22:10 CET (History)
5 users (show)

See Also:
Source RPM: ansible-2.5.5-1.mga7.src.rpm
Status comment:


David Walser 2018-07-17 16:06:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-10-10 18:51:38 CEST
ansible 2.7.0 pushed to cauldron


David Walser 2018-10-10 20:50:38 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Bruno Cornec 2018-10-11 00:21:53 CEST
ansible pushed to mga6 testing
Bruno Cornec 2018-10-11 00:22:31 CEST

Assignee: bruno => qa-bugs

Comment 3 David Walser 2018-10-11 00:40:33 CEST

Updated ansible package fixes security vulnerabilities:

It was found that inventory variables are loaded from current working directory
when running ad-hoc command which are under attacker's control, allowing to run
arbitrary code as a result (CVE-2018-10874).

It was found that ansible.cfg is being read from the current working directory,
which can be made to point to plugin or module paths that are under control of
the attacker. This could allow an attacker to execute arbitrary code


Updated packages in core/updates_testing:

from ansible-
Comment 4 Herman Viaene 2018-10-30 16:06:47 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 19740 Comment 8 and 10
Lots of problems with trying to get the key over to the remote PC.
After a lot of googling found.
$ ssh-keygen -t rsa -b 4096
generated a good key, but then I needed
$ ssh-add
$ ssh-add -l
to add the key to the(?) agent, then
ssh-copy-id aaa@bbb
copied the public key over, so
$ ssh 'aaa@bbbb'
brought me correctly to the remote PC.
$ ansible -v -i /tmp/hosts all -m ping
Using /etc/ansible/ansible.cfg as config file
mach1 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password,keyboard-interactive).\r\n", 
    "unreachable": true

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-11-05 20:08:46 CET
Thanks Herman!  I had lots of problems also, even though this bug is not new to me.  I was trying to kill this agent guy when I noticed your "ssh-add" commands.  Now the ping test works.

Remote logins were working perfectly before with known_hosts - now they work with  authorized_keys.

Ran the update and performed the ping tests and remote logins.

Good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-11-06 09:43:43 CET
Rider to comment #5:

A quick look at the RedHat documentation at https://docs.ansible.com/ansible/latest/index.html shows that this could be a useful tool for local networks.
The earlier test seemed a bit meagre so:

Added two ungrouped local addresses to /etc/ansible/hosts and ran simple commands from one host to run remotely on other nodes.

$ ansible all -a "/bin/echo hello"
192.168.1.aaa | SUCCESS | rc=0 >>

192.168.1.bb | SUCCESS | rc=0 >>

$ ansible all -a "/home/lcl/bin/calco"
192.168.1.bb | SUCCESS | rc=0 >>

192.168.1.aaa | SUCCESS | rc=0 >>

The latter raised an interactive gui on localhost for both remote nodes, a shortcut for logging in remotely to each node, doing work and exiting.
Comment 7 Thomas Andrews 2018-11-09 22:06:28 CET
Herman, does Comment 4 mean that there is a problem with 32-bits, or is it just that your procedure was flawed?

CC: (none) => andrewsfarm

Comment 8 Herman Viaene 2018-11-10 09:07:54 CET
The procedure was surely flawed, and for the moment I cann't do any further testing since I don't have access to my testing laptopfor the next days(4 I hope).
Comment 9 Thomas Andrews 2018-11-10 14:42:22 CET
Thank you, Herman.

OK then, I believe Len's 64-bit tests are sufficient. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Lewis Smith 2018-11-11 20:50:21 CET
Advisory done from comment 3.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 11 Mageia Robot 2018-11-11 22:10:58 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.