This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============6799459698437610042==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------D0Qx0KK0VbhDfBzfZqfD3o0H"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------D0Qx0KK0VbhDfBzfZqfD3o0H
Content-Type: multipart/mixed;
 boundary="------------7dp7EOJQ8ZJH4ZvKJlll4UYC";
 protected-headers="v1"
From: John Breton <john.breton@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <d1d0918d-fc15-4fcd-bc6a-bbc470f3b943@canonical.com>
Subject: [USN-7330-2] Ansible regression

--------------7dp7EOJQ8ZJH4ZvKJlll4UYC
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7330-2
March 28, 2025

ansible regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

USN 7330-1 introduced a regression in Ansible.

Software Description:
- ansible: Configuration management, deployment, and task execution system

Details:

USN-7330-1 fixed vulnerabilities in Ansible. The update introduced a
regression when attempting to install Ansible on Ubuntu 16.04 LTS.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

  It was discovered that Ansible did not properly verify certain fields
  of X.509 certificates. An attacker could possibly use this issue to
  spoof SSL servers if they were able to intercept network communications.
  This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)

  Martin Carpenter discovered that certain connection plugins for Ansible
  did not properly restrict users. An attacker with local access could
  possibly use this issue to escape a restricted environment via symbolic
  links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)

  Robin Schneider discovered that Ansible's apt_key module did not properly
  verify key fingerprints. A remote attacker could possibly use this issue
  to perform key injection, leading to the access of sensitive information.
  This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
  (CVE-2016-8614)

  It was discovered that Ansible would expose passwords in certain
  instances. An attacker could possibly use specially crafted input
  related to this issue to access sensitive information. This issue only
  affected  Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)

  It was discovered that Ansible incorrectly logged sensitive information.
  An attacker with local access could possibly use this issue to access
  sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu
  16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)

  It was discovered that Ansible's solaris_zone module accepted input
  without performing input checking. A remote attacker could possibly use
  this issue to enable the execution of arbitrary code. This issue only
  affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)

  It was discovered that Ansible did not generate sufficiently random
  values, which could lead to the exposure of passwords. An attacker
  could possibly use this issue to access sensitive information. This
  issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
  (CVE-2020-10729)

  It was discovered that Ansible's svn module could disclose passwords to
  users within the same node. An attacker could possibly use this issue to
  access sensitive information. (CVE-2020-1739)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
   ansible                         2.0.0.2-2ubuntu1.3+esm6
                                   Available with Ubuntu Pro
   ansible-fireball                2.0.0.2-2ubuntu1.3+esm6
                                   Available with Ubuntu Pro
   ansible-node-fireball           2.0.0.2-2ubuntu1.3+esm6
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7330-2
   https://ubuntu.com/security/notices/USN-7330-1
   https://launchpad.net/bugs/2104925

--------------7dp7EOJQ8ZJH4ZvKJlll4UYC--

--------------D0Qx0KK0VbhDfBzfZqfD3o0H
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmfm8XkFAwAAAAAACgkQ8pSCVQZYHyh5
xA/8DD037HZbGHOAzB95OOAc3YksU0IxNB2V+xkt8GXigqvMVcyZHXDxC21vAgmMBCQCVI4/cePn
AHbdjtDctzBomnKd3Bn3USQx9Zg+/sy0aSVP1usWRmwsP7rnyFXdSoS9Yg/Pf8l3cEj9KOXPJ/ys
7HEM4ufy+CAK4Z+QvLJR2Z9tqltzAJAX5NGYCjLYKnJESrBM3HLAKy3fzXgNYV0UvRhmU/4egmNh
3K1aYbu3zMcAdCAME1GZMRH/+UvRLhz4lixLhm/KGqJY+DsdCz0cEtf342TOxyVmU96SlHhXNHcx
ZmmfVscTspo9Q3aJwp6KEEro7cOfHWmA+ID1HWEigQYp33mo82TXt0gx2OZfmfaLd1It+hVNRAdb
DZSGMwP0VQC3UepHW7M+e4eaOqa02EbVR8xGh1tOemseXmgMZcS9r4Q0xnDhuRNhacrFnHNnfa8r
e0x84BXNiT1lJ2dJC9wZmp0AXpfrmhHWQCmIKpTxU1XzRHr0llPeqfS1znkYkdQyMiWW+3ksP5Ok
AwloGMTktyjyAaY3E1+ddOkoefswLeUAtDpp9o4d/Kt3wREQKHS/KRexN9FTu1CRhsa77NdHJPlG
6uSMEQ6Xw6RRZq2GK0B5ORhQ9zCC7PeqsAcUudueQc7fzJDLWDLnXbBWjKrMPzMSY8Ko3RmrreEK
wKs=
=CthV
-----END PGP SIGNATURE-----

--------------D0Qx0KK0VbhDfBzfZqfD3o0H--


--===============6799459698437610042==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============6799459698437610042==--