ansible 2.7.0 pushed to cauldron

Status: NEW => ASSIGNED

ansible 2.4.6.0 pushed to mga6 testing

Advisory:
========================

Updated ansible package fixes security vulnerabilities:

It was found that inventory variables are loaded from current working directory
when running ad-hoc command which are under attacker's control, allowing to run
arbitrary code as a result (CVE-2018-10874).

It was found that ansible.cfg is being read from the current working directory,
which can be made to point to plugin or module paths that are under control of
the attacker. This could allow an attacker to execute arbitrary code
(CVE-2018-10875).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10875
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXWC5D7CU2JQAN3QB3BCCLZMZLTI2N6W/
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.6.0-1.1.mga6

from ansible-2.4.6.0-1.1.mga6.src.rpm

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 19740 Comment 8 and 10
Lots of problems with trying to get the key over to the remote PC.
After a lot of googling found.
$ ssh-keygen -t rsa -b 4096
generated a good key, but then I needed
$ ssh-add
and 
$ ssh-add -l
to add the key to the(?) agent, then
ssh-copy-id aaa@bbb
copied the public key over, so
$ ssh 'aaa@bbbb'
brought me correctly to the remote PC.
But
$ ansible -v -i /tmp/hosts all -m ping
Using /etc/ansible/ansible.cfg as config file
mach1 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password,keyboard-interactive).\r\n", 
    "unreachable": true

CC: (none) => herman.viaene

Thanks Herman!  I had lots of problems also, even though this bug is not new to me.  I was trying to kill this agent guy when I noticed your "ssh-add" commands.  Now the ping test works.

Remote logins were working perfectly before with known_hosts - now they work with  authorized_keys.

Ran the update and performed the ping tests and remote logins.

Good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Rider to comment #5:

A quick look at the RedHat documentation at https://docs.ansible.com/ansible/latest/index.html shows that this could be a useful tool for local networks.
The earlier test seemed a bit meagre so:

Added two ungrouped local addresses to /etc/ansible/hosts and ran simple commands from one host to run remotely on other nodes.

$ ansible all -a "/bin/echo hello"
192.168.1.aaa | SUCCESS | rc=0 >>
hello

192.168.1.bb | SUCCESS | rc=0 >>
hello

$ ansible all -a "/home/lcl/bin/calco"
192.168.1.bb | SUCCESS | rc=0 >>


192.168.1.aaa | SUCCESS | rc=0 >>

The latter raised an interactive gui on localhost for both remote nodes, a shortcut for logging in remotely to each node, doing work and exiting.

Herman, does Comment 4 mean that there is a problem with 32-bits, or is it just that your procedure was flawed?

CC: (none) => andrewsfarm

@Thomas
The procedure was surely flawed, and for the moment I cann't do any further testing since I don't have access to my testing laptopfor the next days(4 I hope).

Thank you, Herman.

OK then, I believe Len's 64-bit tests are sufficient. Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory done from comment 3.

Keywords: (none) => advisory
CC: (none) => lewyssmith

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0439.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED