ansible - Debian Package Tracker

general

source: ansible (main)
version: 7.7.0+dfsg-2
maintainer: Lee Garrett (DMD)
uploaders: Harlan Lieberman-Berg [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.7.7+dfsg-1+deb10u1
o-o-sec: 2.7.7+dfsg-1+deb10u1
o-o-bpo: 2.9.16+dfsg-1~bpo10+2
oldstable: 2.10.7+merged+base+2.10.8+dfsg-1
stable: 7.3.0+dfsg-1
testing: 7.7.0+dfsg-2
unstable: 7.7.0+dfsg-2

versioned links

2.7.7+dfsg-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.9.16+dfsg-1~bpo10+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.10.7+merged+base+2.10.8+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.7.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ansible (5 bugs: 0, 4, 1, 0)

action needed

8 security issues in trixie high

There are 8 open security issues in trixie.

8 important issues:

CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
CVE-2021-3532: A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2023-4237:
CVE-2023-4380:
CVE-2023-4567:
CVE-2023-5115:
CVE-2023-5189:

Created: 2023-06-11 Last update: 2023-09-27 09:39

8 security issues in sid high

There are 8 open security issues in sid.

8 important issues:

CVE-2021-3447: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
CVE-2021-3532: A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3533: A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2023-4237:
CVE-2023-4380:
CVE-2023-4567:
CVE-2023-5115:
CVE-2023-5189:

Created: 2022-07-04 Last update: 2023-09-27 09:39

14 security issues in bullseye high

There are 14 open security issues in bullseye.

3 important issues:

CVE-2023-4237:
CVE-2023-5115:
CVE-2023-5189:

11 issues left for the package maintainer to handle:

CVE-2021-3447: (needs triaging) A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
CVE-2021-3532: (postponed; to be fixed through a stable update) A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3533: (postponed; to be fixed through a stable update) A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3583: (needs triaging) A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3620: (postponed; to be fixed through a stable update) A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2022-3697: (needs triaging) A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
CVE-2023-4380: (needs triaging)
CVE-2023-4567: (needs triaging)
CVE-2021-20178: (needs triaging) A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20180: (needs triaging) A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20191: (needs triaging) A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-09-27 09:39

8 security issues in bookworm high

There are 8 open security issues in bookworm.

3 important issues:

CVE-2023-4237:
CVE-2023-5115:
CVE-2023-5189:

5 issues left for the package maintainer to handle:

CVE-2021-3447: (needs triaging) A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
CVE-2021-3532: (postponed; to be fixed through a stable update) A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3533: (postponed; to be fixed through a stable update) A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2023-4380: (needs triaging)
CVE-2023-4567: (needs triaging)

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2023-09-27 09:39

16 security issues in buster high

There are 16 open security issues in buster.

2 important issues:

CVE-2023-5115:
CVE-2023-5189:

14 issues postponed or untriaged:

CVE-2021-3447: (needs triaging) A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
CVE-2021-3532: (postponed; to be fixed through a stable update) A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3533: (postponed; to be fixed through a stable update) A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3583: (needs triaging) A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3620: (postponed; to be fixed through a stable update) A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2022-3697: (needs triaging) A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
CVE-2023-4237: (needs triaging)
CVE-2023-4380: (needs triaging)
CVE-2023-4567: (needs triaging)
CVE-2019-14858: (needs triaging) A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-14905: (needs triaging) A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
CVE-2021-20178: (needs triaging) A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20180: (needs triaging) A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20191: (needs triaging) A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.

Created: 2023-09-27 Last update: 2023-09-27 09:39

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2023-09-12 Last update: 2023-09-26 12:30

debian/patches: 1 patch to forward upstream low

Among the 2 debian patches available in version 7.7.0+dfsg-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-09-12 Last update: 2023-09-12 18:59

news

[rss feed]

[2023-09-14] ansible 7.7.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-09-12] Accepted ansible 7.7.0+dfsg-2 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2023-07-21] ansible 7.7.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-21] ansible 7.7.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-17] Accepted ansible 7.7.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2023-03-12] ansible 7.3.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-03-02] Accepted ansible 7.3.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2023-02-12] ansible 7.2.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-02-09] Accepted ansible 7.2.0+dfsg-2 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-12-16] ansible 7.1.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-12-13] Accepted ansible 7.1.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-12-09] ansible 7.0.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-12-06] Accepted ansible 7.0.0+dfsg-2 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-12-03] ansible 7.0.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-11-30] Accepted ansible 7.0.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-09-21] ansible 6.4.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-15] Accepted ansible 6.4.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-09-15] ansible 6.3.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-09-09] Accepted ansible 6.3.0+dfsg-1 (source) into unstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2022-03-27] ansible 5.5.0-1 MIGRATED to testing (Debian testing watch)
[2022-03-21] Accepted ansible 5.5.0-1 (source) into unstable (Lee Garrett)
[2022-03-12] ansible 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2022-03-06] Accepted ansible 5.4.0-1 (source) into unstable (Lee Garrett)
[2022-02-04] Accepted ansible 2.2.1.0-2+deb9u3 (source) into oldoldstable (Lee Garrett)
[2021-09-30] Accepted ansible 4.6.0-1 (source) into experimental (Lee Garrett)
[2021-08-07] Accepted ansible 2.7.7+dfsg-1+deb10u1 (source all) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-08-07] Accepted ansible 2.7.7+dfsg-1+deb10u1 (source all) into stable->embargoed, stable (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2021-05-09] ansible 2.10.7+merged+base+2.10.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-04-19] Accepted ansible 2.10.7+merged+base+2.10.8+dfsg-1 (source) into unstable (Lee Garrett)
[2021-04-01] Accepted ansible 2.9.16+dfsg-1~bpo10+2 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Pierre-Elliott Bécue)

bugs [bug history graph]

all: 17
RC: 0
I&N: 15
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.7.0+dfsg-1
16 bugs