Security update for ansible SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2976-1 Final 1 1 2017-11-10T13:03:17Z current 2017-11-10T13:03:17Z 2017-11-10T13:03:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ansible This update for ansible to version 2.4.1.0 fixes the following vulnerabilities: - CVE-2017-7481: Security issue with lookup return not tainting the jinja2 environment (bsc#1038785) - CVE-2016-9587: host to controller command execution vulnerability (bsc#1019021) - CVE-2016-8628: Command injection by compromised server via fact variables (bsc#1008037) - CVE-2016-8614: Improper verification of key fingerprints in apt_key module (bsc#1008038) - CVE-2017-7550: jenkins_plugin module may have exposed passwords in remote host logs (bsc#1065872) This update also contains a number of upstream bug fixes and improvements. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-1259 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1008037 SUSE Bug 1008037 https://bugzilla.suse.com/1008038 SUSE Bug 1008038 https://bugzilla.suse.com/1019021 SUSE Bug 1019021 https://bugzilla.suse.com/1038785 SUSE Bug 1038785 https://bugzilla.suse.com/1065872 SUSE Bug 1065872 https://www.suse.com/security/cve/CVE-2016-8614/ SUSE CVE CVE-2016-8614 page https://www.suse.com/security/cve/CVE-2016-8628/ SUSE CVE CVE-2016-8628 page https://www.suse.com/security/cve/CVE-2016-9587/ SUSE CVE CVE-2016-9587 page https://www.suse.com/security/cve/CVE-2017-7481/ SUSE CVE CVE-2017-7481 page https://www.suse.com/security/cve/CVE-2017-7550/ SUSE CVE CVE-2017-7550 page SUSE Package Hub 12 ansible-2.4.1.0-6.1 ansible-2.4.1.0-6.1 as a component of SUSE Package Hub 12 A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. CVE-2016-8614 SUSE Package Hub 12:ansible-2.4.1.0-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8614.html CVE-2016-8614 https://bugzilla.suse.com/1008038 SUSE Bug 1008038 Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. CVE-2016-8628 SUSE Package Hub 12:ansible-2.4.1.0-6.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8628.html CVE-2016-8628 https://bugzilla.suse.com/1008037 SUSE Bug 1008037 Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. CVE-2016-9587 SUSE Package Hub 12:ansible-2.4.1.0-6.1 important 7.5 AV:N/AC:M/Au:S/C:P/I:C/A:P 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9587.html CVE-2016-9587 https://bugzilla.suse.com/1019021 SUSE Bug 1019021 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. CVE-2017-7481 SUSE Package Hub 12:ansible-2.4.1.0-6.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7481.html CVE-2017-7481 https://bugzilla.suse.com/1038785 SUSE Bug 1038785 A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. CVE-2017-7550 SUSE Package Hub 12:ansible-2.4.1.0-6.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7550.html CVE-2017-7550 https://bugzilla.suse.com/1035124 SUSE Bug 1035124 https://bugzilla.suse.com/1065872 SUSE Bug 1065872