-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 5 May 2020 15:32:41 +0200 Source: ansible Binary: ansible ansible-fireball ansible-node-fireball ansible-doc Architecture: source all Version: 1.7.2+dfsg-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Janos Guljas <janos@debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: ansible - Configuration management, deployment, and task execution system ansible-doc - Ansible documentation and examples ansible-fireball - Ansible fireball transport support ansible-node-fireball - Ansible fireball transport support for nodes Changes: ansible (1.7.2+dfsg-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2020-1740: a flaw was found when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. * CVE-2020-1739: a flaw was found when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. * CVE-2020-1733: a race condition flaw was found when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'. * CVE-2019-14846: ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. Checksums-Sha1: 8a743352a3fc883c7d6de01de2231d62d6b5ac16 1935 ansible_1.7.2+dfsg-2+deb8u3.dsc 018f7f1be25c9e425e6b6f9c0fe595cd4a8ec009 105260 ansible_1.7.2+dfsg-2+deb8u3.debian.tar.xz 6dc49184953139c4d7d050a8562984746b9fbd83 559526 ansible_1.7.2+dfsg-2+deb8u3_all.deb 12d6800ae71a9b03fc99d1f9263bcf28ceb3fc67 35348 ansible-fireball_1.7.2+dfsg-2+deb8u3_all.deb cb08728b0d66dafe744c378e6561178786063a66 35326 ansible-node-fireball_1.7.2+dfsg-2+deb8u3_all.deb ca781880f6402f725a088b036462b1c9bab102a6 512922 ansible-doc_1.7.2+dfsg-2+deb8u3_all.deb Checksums-Sha256: 46ef8e02b5c372eea0e678f8a5d8070fd78b6237c4f602aecaa70feee78f1d96 1935 ansible_1.7.2+dfsg-2+deb8u3.dsc bbfc6cb37f12904e0ebbce3467c34138d16f79adb8590d8905c2d71c25f66d82 105260 ansible_1.7.2+dfsg-2+deb8u3.debian.tar.xz 9e2ac854c4a7a9dc88ba45f436705f31be95dbaea7fb66654c8f24d2b095a119 559526 ansible_1.7.2+dfsg-2+deb8u3_all.deb b48efe826b6b9478c152fee8a7dad0537f8e1f850713a86d9dbf8a10f45485f9 35348 ansible-fireball_1.7.2+dfsg-2+deb8u3_all.deb 87c1216e1d8ceb30d13f918b7ec151a47adf880e22be5f9843f8249b619b7d1c 35326 ansible-node-fireball_1.7.2+dfsg-2+deb8u3_all.deb 56cc19cf863c7429082179ce9111a331bcf24cc24df5c6a327f8bbd9c1d87206 512922 ansible-doc_1.7.2+dfsg-2+deb8u3_all.deb Files: 3df822165ca0d1519004527714927ef3 1935 admin optional ansible_1.7.2+dfsg-2+deb8u3.dsc cc809c0740ad513ee4165c922c78e779 105260 admin optional ansible_1.7.2+dfsg-2+deb8u3.debian.tar.xz 8706b68273d50b81b39de390fd674fe8 559526 admin optional ansible_1.7.2+dfsg-2+deb8u3_all.deb 347e15b83a3b798aacdc0083909d7896 35348 admin optional ansible-fireball_1.7.2+dfsg-2+deb8u3_all.deb c1d3ecf48c82a5832a6961de6ef5753c 35326 admin optional ansible-node-fireball_1.7.2+dfsg-2+deb8u3_all.deb bb0ac9373d3770228f6f90cd2014f708 512922 doc optional ansible-doc_1.7.2+dfsg-2+deb8u3_all.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl6xb3sACgkQj/HLbo2J BZ+drQf/ceD40CgBy+NyNFSzkrBzl/viJAyXsD/2WT5kN2SG5jEWgxe/gJXrt4zg rZ7N1AQ8x8sX4GyKpWqH0jP5Jdglz5kUdw47rNPhwVX/mIac1jAupgy3dDfYwpoi TfAkL48pLrP/WBYTNuW5Ix7P3GSOuydJZ0kcNMNtBepqgP0N1bqNp1Ramrs41php yr8cli3bmA//Ko/fYVSjqUsP8P47zK4Fq9vRnZgyNLrvWlOfmKvRpv1d6vmpQ306 xd6aUy2Uc2nezx/LuQ3CAui49D+vD35D7C0swHR19FxlFsdCPeZH0SAJdPb5aIRx q0Ov40Q2DS1+OqRh9l2dJCsBNv/hQA== =PsjZ -----END PGP SIGNATURE-----