Bug 23321 - ansible new security issues CVE-2018-1087[45]
Summary: ansible new security issues CVE-2018-1087[45]
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-17 16:06 CEST by David Walser
Modified: 2018-10-11 00:40 CEST (History)
0 users

See Also:
Source RPM: ansible-2.5.5-1.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2018-07-17 16:06:31 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-10-10 18:51:38 CEST
ansible 2.7.0 pushed to cauldron

Status: NEW => ASSIGNED

David Walser 2018-10-10 20:50:38 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 Bruno Cornec 2018-10-11 00:21:53 CEST
ansible 2.4.6.0 pushed to mga6 testing
Bruno Cornec 2018-10-11 00:22:31 CEST

Assignee: bruno => qa-bugs

Comment 3 David Walser 2018-10-11 00:40:33 CEST
Advisory:
========================

Updated ansible package fixes security vulnerabilities:

It was found that inventory variables are loaded from current working directory
when running ad-hoc command which are under attacker's control, allowing to run
arbitrary code as a result (CVE-2018-10874).

It was found that ansible.cfg is being read from the current working directory,
which can be made to point to plugin or module paths that are under control of
the attacker. This could allow an attacker to execute arbitrary code
(CVE-2018-10875).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10875
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXWC5D7CU2JQAN3QB3BCCLZMZLTI2N6W/
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.6.0-1.1.mga6

from ansible-2.4.6.0-1.1.mga6.src.rpm

Note You need to log in before you can comment on or make changes to this bug.