RedHat has issued an advisory today (January 23): https://access.redhat.com/errata/RHSA-2020:0216 https://access.redhat.com/errata/RHSA-2020:0217 The issues are fixed upstream in 2.7.16: https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst
ansible 2.7.16 is now in mga7 updates_testing.
Assignee: bruno => qa-bugsStatus: NEW => ASSIGNED
Advisory: ======================== Updated ansible package fixes security vulnerabilities: A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host (CVE-2019-14904). A vulnerability in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues (CVE-2019-14905). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14905 https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst https://access.redhat.com/errata/RHSA-2020:0217 ======================== Updated packages in core/updates_testing: ======================== ansible-2.7.16-1.mga7 from ansible-2.7.16-1.mga7.src.rpm
CC: (none) => bruno
Mageia7 x86_64 Updated ansible and installed sshpass. Set up a temporary hosts file containing three LAN addresses including localhost. The following test fails for the local machine if its IP address is used. $ ansible -k -i /tmp/hosts all -m ping SSH password: 192.168.1.aaa | SUCCESS => { "changed": false, "ping": "pong" } 192.168.1.bbb | SUCCESS => { "changed": false, "ping": "pong" } 127.0.0.1 | SUCCESS => { "changed": false, "ping": "pong" } $ ansible -k -i /tmp/hosts all -a "/home/lcl/bin/chex" SSH password: 192.168.1.bbb | CHANGED | rc=0 >> 192.168.1.aaa | CHANGED | rc=0 >> 127.0.0.1 | CHANGED | rc=0 >> That showed a widget centre screen on all three machines. The CHANGED message comes up as each widget is closed. However, the following command does not work very well, because it seems to want to act as a reverse terminal. It shows the Mate terminal with the inxi output for one of the remote hosts on the local monitor and then crashes. This has something to do with ssh and known_hosts AFAICS so does not reflect on ansible. $ ansible -k -i ~/tmp/hosts all -a "mate-terminal -e 'inxi -b'" SSH password: ..... 192.168.1.aaa | FAILED | rc=255 >> non-zero return code As far as these tests go ansible seems to be working as designed.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Taking your word for it, Len. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0060.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED