Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Ansible
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Ansible
ID: USN-7330-1
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
Datum: Do, 6. März 2025, 23:19
Referenzen: https://www.cve.org/CVERecord?id=CVE-2019-10206
https://www.cve.org/CVERecord?id=CVE-2015-3908
https://www.cve.org/CVERecord?id=CVE-2019-14904
https://www.cve.org/CVERecord?id=CVE-2020-10729
https://www.cve.org/CVERecord?id=CVE-2016-8614
https://www.cve.org/CVERecord?id=CVE-2015-6240
https://www.cve.org/CVERecord?id=CVE-2020-1739
https://www.cve.org/CVERecord?id=CVE-2019-14846
Applikationen: Ansible

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============0689695320346613436==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------0X31ZkOt5eBvfb2OdkCmFFG7"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------0X31ZkOt5eBvfb2OdkCmFFG7
Content-Type: multipart/mixed;
 boundary="------------y6NbLUKjmGWvoa00XYug6c0h";
 protected-headers="v1"
From: John Breton <john.breton@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <7abd949e-3b09-4b23-a66c-cc120a6c2d01@canonical.com>
Subject: [USN-7330-1] Ansible vulnerabilities

--------------y6NbLUKjmGWvoa00XYug6c0h
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7330-1
March 05, 2025

ansible vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Ansible.

Software Description:
- ansible: Configuration management, deployment, and task execution system

Details:

It was discovered that Ansible did not properly verify certain fields of
X.509 certificates. An attacker could possibly use this issue to spoof
SSL servers if they were able to intercept network communications. This
issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)

Martin Carpenter discovered that certain connection plugins for Ansible
did not properly restrict users. An attacker with local access could
possibly use this issue to escape a restricted environment via symbolic
links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)

Robin Schneider discovered that Ansible's apt_key module did not properly
verify key fingerprints. A remote attacker could possibly use this issue
to perform key injection, leading to the access of sensitive information.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-8614)

It was discovered that Ansible would expose passwords in certain
instances. An attacker could possibly use specially crafted input related
to this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)

It was discovered that Ansible incorrectly logged sensitive information.
An attacker with local access could possibly use this issue to access
sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)

It was discovered that Ansible's solaris_zone module accepted input without
performing input checking. A remote attacker could possibly use this issue
to enable the execution of arbitrary code. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)

It was discovered that Ansible did not generate sufficiently random values,
which could lead to the exposure of passwords. An attacker could possibly
use this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10729)

It was discovered that Ansible's svn module could disclose passwords to
users within the same node. An attacker could possibly use this issue to
access sensitive information. (CVE-2020-1739)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
   ansible                         2.9.6+dfsg-1ubuntu0.1~esm3
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS
   ansible                         2.5.1+dfsg-1ubuntu0.1+esm5
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   ansible                         2.0.0.2-2ubuntu1.3+esm5
                                   Available with Ubuntu Pro
   ansible-fireball                2.0.0.2-2ubuntu1.3+esm5
                                   Available with Ubuntu Pro
   ansible-node-fireball           2.0.0.2-2ubuntu1.3+esm5
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS
   ansible                         1.5.4+dfsg-1ubuntu0.1~esm3
                                   Available with Ubuntu Pro
   ansible-fireball                1.5.4+dfsg-1ubuntu0.1~esm3
                                   Available with Ubuntu Pro
   ansible-node-fireball           1.5.4+dfsg-1ubuntu0.1~esm3
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7330-1
   CVE-2015-3908, CVE-2015-6240, CVE-2016-8614, CVE-2019-10206,
   CVE-2019-14846, CVE-2019-14904, CVE-2020-10729, CVE-2020-1739
--------------y6NbLUKjmGWvoa00XYug6c0h--

--------------0X31ZkOt5eBvfb2OdkCmFFG7
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmfJ8ioFAwAAAAAACgkQ8pSCVQZYHygF
EQ//VrMFj+MiuE8VqxIYK8w1yi8kfFYopzkMVolJNjTAzOsbv2GMIZ0W74c0R22j23/o6MkaabQp
T4ReAhX7CtU3axpF+bjoO0TEjUc91oNRMHed5T/sMRpqFGA0UcLzcMQYOkjkmAcRwGtMiWnUOyV4
bPH6UrRk7oTf+lhNfgIL/t0Wi/lLAhVXfjMgk4c/bEcsMbskrDsUd3203MYz3CBvSRcDTgatBjpX
w0BIeT4SsBKUV+lWbdX3vuSSxJHtRwFP84gBdPd+GnIMvvq2HWxp75mcecYrMN8wlda/XkPZIe9H
K/ggdQjT0850L3WqadSlX+kf+ti0fl/wg5viLOybYNR4vZHoBtLajWXNL7foYDxh9uFbsgoR3+uJ
7BFIbhNJFVTDrFGgmz5TKQeWP1yHO3w/MDa4Ke5VVisQsuF68JvBT2fp6ePds5hl9KkgIdgTPWYG
W7hl/oAEUtGskE0BVaZHIacqP7jMso0gRy6RYeETKTQ+W9TVeP+bANkyhWp835Pj7sZhQdv4r5mF
vfFtQKN9eysiTVnBrHaPWcpFhKfGev9CCze7cGLUaWDP1EZ6gxfvU259i2PdpWgt6dT2hIHHRuJy
8czjJF9gt1UuDFXTcYDImwNEXO5sESElCNY8EIsUc7E46MCjs5Rz5Nw0btqu09X8XQZCfNzWxnPk
A1E=
=MLNR
-----END PGP SIGNATURE-----

--------------0X31ZkOt5eBvfb2OdkCmFFG7--


--===============0689695320346613436==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============0689695320346613436==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung