Bug 24395 - ansible new security issues CVE-2018-16837 and CVE-2019-3828
Summary: ansible new security issues CVE-2018-16837 and CVE-2019-3828
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-20 23:52 CET by David Walser
Modified: 2019-03-21 17:37 CET (History)
2 users (show)

See Also:
Source RPM: ansible-2.7.5-2.mga7.src.rpm
CVE:
Status comment: Patches available from Debian


Attachments

Description David Walser 2019-02-20 23:52:04 CET
Debian has issued an advisory on February 19:
https://www.debian.org/security/2019/dsa-4396

CVE-2018-16837 was fixed 2.7.1 (so Cauldron is not affected) but not backported to 2.4.

There's a pull request for 2.7.x for CVE-2019-3828 but not for 2.4.

Debian backported fixes all the way to 2.2.x.

Mageia 6 is affected by both issues.
David Walser 2019-02-20 23:52:11 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2019-03-08 21:53:41 CET
CVE-2018-16859 may still need to be fixed.  It might have been fixed upstream in 2.7.4, but Mageia 6 would need a fix.

openSUSE issued an advisory for that and other issues on February 23:
https://lists.opensuse.org/opensuse-updates/2019-02/msg00129.html
David Walser 2019-03-09 17:32:56 CET

Status comment: (none) => Patches available from Debian

Comment 2 David Walser 2019-03-12 15:45:46 CET
Fedora has issued an advisory for CVE-2019-3828 on March 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EAPPN6IGB2JEMLJG6UIZS6XRYGDRBYD2/
Comment 3 Bruno Cornec 2019-03-17 16:01:46 CET
cauldron updtaed to ansible 2.7.8 which should fix this.

Version: Cauldron => 6
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2019-03-17 16:15:02 CET
Yes it looks like the fix for CVE-2019-3828 is in 2.7.8.  2.7.9 is out too.
Comment 5 Bruno Cornec 2019-03-17 16:19:16 CET
The only CVE fixed on the 2.4 branch is CVE-2018-10875 with 2.4.7. So none of the mentioned CVEs in this report are availabel for that branch for mga6. 

I can bring 2.7.8 as on cauldron if people agree on that. I've made a local test and it seems to work once you add python3-jmespath-0.9.3-3.mga6.noarch.rpm to it (would need a backport)
Comment 6 David Walser 2019-03-17 16:24:50 CET
It looks like CVE-2018-16859 just affects Windows and isn't important for us.  You can try the Debian patches for the other two CVEs, and update if that doesn't work.
Comment 7 Bruno Cornec 2019-03-17 16:40:33 CET
Trying to update to 2.7.9, I now have the following issue when running a playbook:

Exception ignored in: <function WeakValueDictionary.__init__.<locals>.remove at 0x7f5fdaba9bf8>
Traceback (most recent call last):
  File "/usr/lib64/python3.5/weakref.py", line 117, in remove
TypeError: 'NoneType' object is not callable
Exception ignored in: <function WeakValueDictionary.__init__.<locals>.remove at 0x7f5fe1d71268>
Traceback (most recent call last):
  File "/usr/lib64/python3.5/weakref.py", line 117, in remove
TypeError: 'NoneType' object is not callable

happening jus at the end of the run, so the playbook is passed, but that error is throwed.
Comment 8 Bruno Cornec 2019-03-17 16:57:40 CET
Humm doesn' happen with all playbooks, just the first one I used to test !
Comment 9 Bruno Cornec 2019-03-17 18:14:47 CET
2.4.6.0-1 subrel 3 pushed to mga6 to fix te 2 CVEs mentionned upper.

Assignee: bruno => qa-bugs

Comment 10 David Walser 2019-03-17 18:32:37 CET
Advisory:
========================

Updated ansible package fixes security vulnerabilities:

The user module leaked parameters passed to ssh-keygen to the process
environment (CVE-2018-16837).

The fetch module was susceptible to path traversal (CVE-2019-3828).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3828
https://www.debian.org/security/2019/dsa-4396
========================

Updated packages in core/updates_testing:
========================
ansible-2.4.6.0-1.3.mga6

from ansible-2.4.6.0-1.3.mga6.src.rpm
Comment 11 Dave Hodgins 2019-03-17 20:12:14 CET
No regressions found, following procedure from bug 13278

Remote box has ssh running on port 34269.
$ cat /tmp/hosts
192.168.10.101:34269
$ ansible -i /tmp/hosts all -m ping
192.168.10.101 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
$

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2019-03-21 17:37:44 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0114.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.