RedHat has issued an advisory today (February 24): https://access.redhat.com/errata/RHSA-2021:0664 The issues are fixed upstream in 2.8.19 and 2.9.18: https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#id59 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#id64 I'm not sure which issues affect 2.7.x, as it's not supported upstream anymore.
Status comment: (none) => Fixed upstream in 2.9.18Whiteboard: (none) => MGA8TOO, MGA7TOO
new version pushed in mageia 8. src: ansible-2.9.18-1.mga8 ansible-2.9.18-1.mga9 pushed in cauldron. I am looking to backport the patches in mageia 7
CC: (none) => mageia
Lightning work, Nicolas. Assigning this to you since you have already mostly done it.
Assignee: bugsquad => mageia
That may be exceedingly difficult this time.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOCC: (none) => brunoVersion: Cauldron => 8
mga7 is not affected by CVE-2021-20180, we do not have bitbucket module.
Fixes for : - CVE-2021-20178 - CVE-2021-20191 - CVE-2021-20228 are in the new ansible rpm. src: ansible-2.7.18-1.1.mga7
Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 2.9.18 => (none)
Advisory (Mageia 7): ======================== Updated ansible package fixes security vulnerabilities: User data leak in snmp_facts module (CVE-2021-20178). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been patched to fix these issues. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228 https://access.redhat.com/errata/RHSA-2021:0664 Advisory (Mageia 8): ======================== Updated ansible package fixes security vulnerabilities: User data leak in snmp_facts module (CVE-2021-20178). The bitbucket_pipeline_variable module exposed secured values (CVE-2021-20180). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been updated to version 2.9.18, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#id64 https://access.redhat.com/errata/RHSA-2021:0664
mga8, x64 Found no PoC for the CVEs in RedHat Bugzilla. Before update: Installed ansible. Created ~/tmp/hosts containing URLs for three nodes on the LAN starting with the home system. $ sudo urpmi sshpass $ ansible -k -i ~/tmp/hosts all -m ping SSH password: 127.0.0.1 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\nSHA256:<.......................................>.\r\nPlease contact your system administrator.\r\nAdd correct host key in /home/lcl/.ssh/known_hosts to get rid of this message.\r\nOffending ECDSA key in /home/lcl/.ssh/known_hosts:26\r\nECDSA host key for 192.168.1.aaa has changed and you have requested strict checking.\r\nHost key verification failed.", "unreachable": true } [WARNING]: Platform linux on host 192.168.1.bbb is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen ce_appendices/interpreter_discovery.html for more information. 192.168.1.bbb | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } [WARNING]: Platform linux on host 192.168.1.ccc is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen ce_appendices/interpreter_discovery.html for more information. 192.168.1.ccc | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } So, remote hosts are accessible but localhost is not. Nothing has changed there. Updated ansible. Repeated the ping test, which returned the same results. $ ansible -k -i ~/tmp/hosts all -a "/home/lcl/bin/chex" SSH password: ....... No result for localhost - maybe ansible is not intended to run jobs on the local machine. Removing the local address anyway. But note that for bug 26125 the job succeeded on localhost. Regression? or something different in the setup. The jobs worked for the other machines though - a bash environment was set up and a gui launched on the two remote monitors. ansible terminated when these widgets were removed. $ ansible -k -i ~/tmp/hosts all -a "mate-terminal -e 'inxi -b'" SSH password: [WARNING]: Platform linux on host 192.168.1.bbb is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen ce_appendices/interpreter_discovery.html for more information. 192.168.1.bbb | FAILED | rc=255 >> non-zero return code [WARNING]: Platform linux on host 192.168.1.ccc is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen ce_appendices/interpreter_discovery.html for more information. 192.168.1.ccc | FAILED | rc=255 >> non-zero return code These jobs returned results all on the local monitor, each job crashing. That happened before so it is not a regression. The command runs inxi and fails in the same way if invoked on each machine from the command line, with or without ampersands. ansible is designed for administration jobs so errors are bound to happen when an unskilled user tries it. It looks like the application works in principle so we can wave it on.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
Installed and tested without issues. Tested on several nodes in containers and QEMU/KVM VM. Tested a few commands and it seems to be working as intended. I don't usually use ansible so I don't have an elaborate setup where I can actually test it more exhaustively. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q ansible ansible-2.7.18-1.2.mga7 $ ansible all -m ping marte.local | SUCCESS => { "changed": false, "ping": "pong" } marte-co-mageia-7.local | SUCCESS => { "changed": false, "ping": "pong" } marte-co-fedora-32.local | SUCCESS => { "changed": false, "ping": "pong" } marte-co-mageia-8.local | SUCCESS => { "changed": false, "ping": "pong" } marte-vm-mageia-7.local | SUCCESS => { "changed": false, "ping": "pong" } marte-co-mageia-cauldron.local | SUCCESS => { "changed": false, "ping": "pong" } marte-vm-mageia-8.local | SUCCESS => { "changed": false, "ping": "pong" } $ ansible all -a "uname -a" marte-co-mageia-8.local | CHANGED | rc=0 >> Linux marte-co-mageia-8 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte-co-mageia-7.local | CHANGED | rc=0 >> Linux marte-co-mageia-7 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte-co-fedora-32.local | CHANGED | rc=0 >> Linux marte-co-fedora-32 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte-co-mageia-cauldron.local | CHANGED | rc=0 >> Linux marte-co-mageia-cauldron 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte.local | CHANGED | rc=0 >> Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte-vm-mageia-7.local | CHANGED | rc=0 >> Linux marte-vm-mageia-7 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux marte-vm-mageia-8.local | CHANGED | rc=0 >> Linux marte-vm-mageia-8 5.10.20-desktop-2.mga8 #1 SMP Fri Mar 5 18:23:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ ansible all -a "systemd --version" marte.local | CHANGED | rc=0 >> systemd 241 (241) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid marte-co-mageia-7.local | CHANGED | rc=0 >> systemd 241 (241) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid marte-co-fedora-32.local | FAILED | rc=2 >> [Errno 2] No such file or directory: 'systemd' marte-co-mageia-cauldron.local | CHANGED | rc=0 >> systemd 246 (246) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified marte-co-mageia-8.local | CHANGED | rc=0 >> systemd 246 (246) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified marte-vm-mageia-7.local | CHANGED | rc=0 >> systemd 241 (241) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=hybrid marte-vm-mageia-8.local | CHANGED | rc=0 >> systemd 246 (246) +PAM +AUDIT -SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN -PCRE2 default-hierarchy=unified
CC: (none) => mageiaWhiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisories committed to svn using ... [dave@x3 advisories]$ svn ci -m 'Adding mga7 security update for ansible mga#28436' Adding 28436.mga7.adv Transmitting file data .done Committing transaction... Committed revision 11475. [dave@x3 advisories]$ mgaadv new security 28436.mga8 ansible [dave@x3 advisories]$ svn add 28436.mga8.adv A 28436.mga8.adv [dave@x3 advisories]$ svn ci -m 'Adding mga8 security update for ansible mga#28436' Adding 28436.mga8.adv Transmitting file data .done Committing transaction... Committed revision 11476.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Thanks Dave!
CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0131.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0132.html