SUSE-SU-2018:4130-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:4130-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:4130-1
Related
Published
2018-12-14T15:12:26Z
Modified
2018-12-14T15:12:26Z
Summary
Security update for ansible
Details

This update for ansible fixes the following issues:

Ansible was updated to ansible 2.4.6.0.

The full release notes can be found on:

https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md

Security issues fixed:

  • CVE-2018-10875: ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. (bsc#1099808)
  • CVE-2018-10874: It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. (bsc#1099805)
  • CVE-2018-10855: Ansible did not honor the nolog task flag for failed tasks. When the nolog flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. (bsc#1097775)
References

Affected packages

SUSE:HPE Helion OpenStack 8 / ansible

Package

Name
ansible
Purl
purl:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.6.0-3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "ansible": "2.4.6.0-3.3.1"
        }
    ]
}

SUSE:OpenStack Cloud 8 / ansible

Package

Name
ansible
Purl
purl:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.6.0-3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "ansible": "2.4.6.0-3.3.1"
        }
    ]
}

SUSE:OpenStack Cloud Crowbar 8 / ansible

Package

Name
ansible
Purl
purl:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.6.0-3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "ansible": "2.4.6.0-3.3.1"
        }
    ]
}