Debian Package Tracker

general

source: ansible (main)
version: 2.8.6+dfsg-1
maintainer: Harlan Lieberman-Berg (DMD)
uploaders: Lee Garrett [DMD]
arch: all
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.7.2+dfsg-2
o-o-sec: 1.7.2+dfsg-2+deb8u2
oldstable: 2.2.1.0-2+deb9u1
old-sec: 2.2.1.0-2+deb9u1
old-bpo: 2.7.5+dfsg-1~bpo9+1
stable: 2.7.7+dfsg-1
testing: 2.8.6+dfsg-1
unstable: 2.8.6+dfsg-1

versioned links

1.7.2+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.2+dfsg-2+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.1.0-2+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.5+dfsg-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.7+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.6+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ansible (12 bugs: 0, 9, 3, 0)
ansible-doc (3 bugs: 0, 1, 2, 0)

action needed

A new upstream version is available: 2.9.1 high

A new upstream version 2.9.1 is available, you should consider packaging it.

Created: 2019-11-02 Last update: 2019-12-06 22:31

7 security issues in buster high

There are 7 open security issues in buster.

4 important issues:

CVE-2019-14904:
CVE-2019-14858: A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-14905:
CVE-2019-14846: Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

3 issues skipped by the security teams:

CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2019-14864:

Please fix them.

Created: 2019-06-06 Last update: 2019-12-03 00:16

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2019-14904:
CVE-2019-14905:
CVE-2019-14864:

Please fix them.

Created: 2019-07-07 Last update: 2019-12-03 00:16

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2019-14904:
CVE-2019-14905:
CVE-2019-14864:

Please fix them.

Created: 2019-10-29 Last update: 2019-12-03 00:16

6 security issues in jessie high

There are 6 open security issues in jessie.

5 important issues:

CVE-2019-14904:
CVE-2019-14858: A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-14905:
CVE-2019-14864:
CVE-2019-14846: Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

1 issue skipped by the security teams:

CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

Please fix them.

Created: 2015-07-14 Last update: 2019-12-03 00:16

8 security issues in stretch high

There are 8 open security issues in stretch.

4 important issues:

CVE-2019-14904:
CVE-2019-14858: A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-14905:
CVE-2019-14846: Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

4 issues skipped by the security teams:

CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
CVE-2017-7481: Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2019-14864:

Please fix them.

Created: 2017-04-22 Last update: 2019-12-03 00:16

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-12-07 03:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-11-06 Last update: 2019-12-07 01:00

25 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit a79c81ebf3b79fc96405103f3dca365b49a9fd96
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 22:13:30 2019 +0100

    Release 2.8.6+dfsg-1

commit d93ee7d118b49d51961b61509609a69467080215
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 21:56:33 2019 +0100

    Add binary lintian-overrides
    
    These files are developing guidelines for those modules, so it makes sense to
    keep them close to the code.

commit 4f26130042107bf4a2d6198ced792a0ca73de77d
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 21:20:25 2019 +0100

    Revamp debian/copyright
    
    Still not perfect, but throws less warnings than before.

commit d8276468ca5c2c728b2244a2428d2a094e7c9dcc
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 19:50:48 2019 +0100

    Update building docs
    
    Mostly to make lintian happy.

commit 843ad56ccc6caadbf728a6faa75a9a8d79a1c1e5
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 19:38:07 2019 +0100

    Remove lintian override
    
    The source file doesn't exist since the docs were refactored.

commit f9867bc34079aa17b1d6b7fc9c131137c76b4069
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 19:36:21 2019 +0100

    Doesn't require root to build
    
    Let's make lintian happy.

commit efbb6558476bab1aabc672fd69917bff8f41613f
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 19:36:02 2019 +0100

    Bump Standards-Version (no changes needed)

commit eb6b3f24503689fc6907cd9492b2f832f7622c11
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Oct 28 19:34:46 2019 +0100

    Add CVE numbers to changelog

commit c297b1803ca430304bc3a97cb6b31ad892501595
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Fri Oct 25 00:30:59 2019 +0200

    Fix doc-base path
    
    New release now puts it in the new path.

commit 23f026c5ecafbf5ab1ef3b1a3c70c1c40fed2e24
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Fri Oct 25 00:30:41 2019 +0200

    Update changelog

commit aa0adab661a24acb28074ec4903151aabe9b7cd0
Merge: 2f7cb2cb 9c95a6f0
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Thu Oct 24 20:17:47 2019 +0200

    Update upstream source from tag 'upstream/2.8.6+dfsg'
    
    Update to upstream version '2.8.6+dfsg'
    with Debian dir a8720913d0c3c160f0b87201f214d9ffbc28853d

commit 9c95a6f04d1fb8a9f7e78ce7eedd430096fd76ee
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Thu Oct 24 20:17:15 2019 +0200

    New upstream version 2.8.6+dfsg

commit 2f7cb2cbb832d0a5bfc4c59f75552cd87ec84598
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Wed Sep 18 22:46:56 2019 +0200

    Update changelog (bump version number)

commit b895d1e76a266514b40abd8d66f4dec2bb77cefb
Merge: 47a871fc c6855184
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Wed Sep 18 22:45:12 2019 +0200

    Update upstream source from tag 'upstream/2.8.5+dfsg'
    
    Update to upstream version '2.8.5+dfsg'
    with Debian dir e005d596207b41665f80aa6e0a428220bd3f91e3

commit c6855184146523a8e3ddc4f3b061857d6a69ae3d
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Wed Sep 18 22:44:30 2019 +0200

    New upstream version 2.8.5+dfsg

commit 47a871fcd72613ad3e81034494455f6cd68739ae
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Wed Sep 18 22:40:28 2019 +0200

    Small changes to debian/control
    
    python3-winrm is > 0.1.1 in stable, so drop the versioning.

commit 1eb3783a2e8a4c957db166351fb58c86a7d1d51d
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Sep 2 00:53:58 2019 +0200

    Update to debhelper 12
    
    Since buster (stable) now ships with 12.1 it's fine to bump this, as it won't
    be in the way when backporting.

commit 8297cbfbca0ba21be32e366a5fca73b26b5f3640
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Sep 2 00:36:06 2019 +0200

    d/copyright: minor fix

commit d8a6e38a2ea27706ed80b6d1f29d783d88541de1
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Mon Sep 2 00:27:28 2019 +0200

    Minor updates to make lintian happy

commit 5cc2723cffde5e7c6ce9f1e33bf82204715a9513
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sun Sep 1 20:31:27 2019 +0200

    d/copyright: Don't exclude removed directory
    
    docs were refactored in ansible, this dir doesn't exist anymore.

commit 026bdcd0fbe58631e47ae5aa0f8074a7a043a617
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sun Sep 1 19:58:03 2019 +0200

    whitespace fix

commit 5ca5e62e2bd87f71a9edf4e2e10b6c7dbae4c033
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sun Sep 1 19:05:44 2019 +0200

    Update changelog

commit dc25c8eae8030db77814d7344f723dc50e34d220
Merge: f64b0218 92d27494
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sun Sep 1 18:59:28 2019 +0200

    Update upstream source from tag 'upstream/2.8.4+dfsg'
    
    Update to upstream version '2.8.4+dfsg'
    with Debian dir 0790c096d0483f7a8617d8bf26d15a2f688660a4

commit 92d2749481e6895c2a161e06e870f980448df264
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sun Sep 1 18:58:56 2019 +0200

    New upstream version 2.8.4+dfsg

commit f64b0218c8a2ddc32b14964679b31f92c188058c
Author: Lee Garrett <lgarrett@rocketjump.eu>
Date:   Sat Aug 31 16:06:32 2019 +0200

    Remove Michael Vogt from uploaders
    
    As per request via mail. Thanks for the past contributions!

Created: 2017-12-03 Last update: 2019-12-02 19:36

news

[rss feed]

[2019-11-03] ansible 2.8.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-10-28] Accepted ansible 2.8.6+dfsg-1 (source) into unstable (Lee Garrett)
[2019-09-16] Accepted ansible 1.7.2+dfsg-2+deb8u2 (source all) into oldoldstable (Roberto C. Sanchez)
[2019-08-02] Accepted ansible 2.8.3+dfsg-1 (source all) into unstable (Lee Garrett)
[2019-07-09] ansible 2.7.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-03-07] Accepted ansible 2.2.1.0-2+deb9u1 (source all) into proposed-updates->stable-new, proposed-updates (Lee Garrett) (signed by: Harlan Lieberman-Berg)
[2019-03-03] ansible 2.7.7+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-03-02] Accepted ansible 2.7.8+dfsg-1 (source) into unstable (Lee Garrett)
[2019-02-21] Accepted ansible 2.7.7+dfsg-1 (source all) into unstable (Lee Garrett)
[2019-02-19] Accepted ansible 2.2.1.0-2+deb9u1 (source all) into stable->embargoed, stable (Lee Garrett) (signed by: Harlan Lieberman-Berg)
[2019-02-02] ansible 2.7.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-01-27] Accepted ansible 2.7.6+dfsg-1 (source) into unstable (Lee Garrett)
[2019-01-11] Accepted ansible 2.7.5+dfsg-1~bpo9+1 (source all) into stretch-backports, stretch-backports (Harlan Lieberman-Berg)
[2019-01-06] Accepted ansible 2.7.5+dfsg-2 (source) into experimental (Lee Garrett)
[2018-12-27] ansible 2.7.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-12-21] Accepted ansible 2.7.5+dfsg-1 (source all) into unstable, unstable (Lee Garrett) (signed by: Harlan Lieberman-Berg)
[2018-11-18] ansible 2.7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-11-13] Accepted ansible 2.7.1+dfsg-2 (source all) into unstable (Lee Garrett)
[2018-11-12] Accepted ansible 1.7.2+dfsg-2+deb8u1 (source all) into oldstable (Chris Lamb)
[2018-11-03] ansible 2.7.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-03] ansible 2.7.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-28] Accepted ansible 2.7.1+dfsg-1 (source all) into unstable (Lee Garrett)
[2018-10-05] ansible 2.6.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-09-29] Accepted ansible 2.6.5+dfsg-1 (source all) into unstable (Lee Garrett)
[2018-09-15] ansible 2.6.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-09-09] Accepted ansible 2.6.4+dfsg-1 (source all) into unstable (Lee Garrett)
[2018-08-31] Accepted ansible 2.6.3+dfsg-1~bpo9+1 (source all) into stretch-backports (Lee Garrett)
[2018-08-26] ansible 2.6.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-20] Accepted ansible 2.6.3+dfsg-1 (source all) into unstable (Lee Garrett)
[2018-07-17] ansible 2.6.1+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 19
RC: 0
I&N: 13
M&W: 6
F&P: 0
patch: 2

links

homepage
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.8.6+dfsg-1
5 bugs