Debian has issued an advisory on February 19: https://www.debian.org/security/2019/dsa-4396 CVE-2018-16837 was fixed 2.7.1 (so Cauldron is not affected) but not backported to 2.4. There's a pull request for 2.7.x for CVE-2019-3828 but not for 2.4. Debian backported fixes all the way to 2.2.x. Mageia 6 is affected by both issues.
Whiteboard: (none) => MGA6TOO
CVE-2018-16859 may still need to be fixed. It might have been fixed upstream in 2.7.4, but Mageia 6 would need a fix. openSUSE issued an advisory for that and other issues on February 23: https://lists.opensuse.org/opensuse-updates/2019-02/msg00129.html
Status comment: (none) => Patches available from Debian
Fedora has issued an advisory for CVE-2019-3828 on March 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EAPPN6IGB2JEMLJG6UIZS6XRYGDRBYD2/
cauldron updtaed to ansible 2.7.8 which should fix this.
Status: NEW => ASSIGNEDWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Yes it looks like the fix for CVE-2019-3828 is in 2.7.8. 2.7.9 is out too.
The only CVE fixed on the 2.4 branch is CVE-2018-10875 with 2.4.7. So none of the mentioned CVEs in this report are availabel for that branch for mga6. I can bring 2.7.8 as on cauldron if people agree on that. I've made a local test and it seems to work once you add python3-jmespath-0.9.3-3.mga6.noarch.rpm to it (would need a backport)
It looks like CVE-2018-16859 just affects Windows and isn't important for us. You can try the Debian patches for the other two CVEs, and update if that doesn't work.
Trying to update to 2.7.9, I now have the following issue when running a playbook: Exception ignored in: <function WeakValueDictionary.__init__.<locals>.remove at 0x7f5fdaba9bf8> Traceback (most recent call last): File "/usr/lib64/python3.5/weakref.py", line 117, in remove TypeError: 'NoneType' object is not callable Exception ignored in: <function WeakValueDictionary.__init__.<locals>.remove at 0x7f5fe1d71268> Traceback (most recent call last): File "/usr/lib64/python3.5/weakref.py", line 117, in remove TypeError: 'NoneType' object is not callable happening jus at the end of the run, so the playbook is passed, but that error is throwed.
Humm doesn' happen with all playbooks, just the first one I used to test !
2.4.6.0-1 subrel 3 pushed to mga6 to fix te 2 CVEs mentionned upper.
Assignee: bruno => qa-bugs
Advisory: ======================== Updated ansible package fixes security vulnerabilities: The user module leaked parameters passed to ssh-keygen to the process environment (CVE-2018-16837). The fetch module was susceptible to path traversal (CVE-2019-3828). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3828 https://www.debian.org/security/2019/dsa-4396 ======================== Updated packages in core/updates_testing: ======================== ansible-2.4.6.0-1.3.mga6 from ansible-2.4.6.0-1.3.mga6.src.rpm
No regressions found, following procedure from bug 13278 Remote box has ssh running on port 34269. $ cat /tmp/hosts 192.168.10.101:34269 $ ansible -i /tmp/hosts all -m ping 192.168.10.101 | SUCCESS => { "changed": false, "failed": false, "ping": "pong" } $ Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0114.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED