[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1923-1] ansible security update

Package        : ansible
Version        : 1.7.2+dfsg-2+deb8u2
CVE ID         : CVE-2015-3908 CVE-2015-6240 CVE-2018-10875 CVE-2019-10156
Debian Bug     : 930065

Several vulnerabilities were discovered in Ansible, a configuration
management, deployment, and task execution system.


    A potential man-in-the-middle attack associated with insusfficient
    X.509 certificate verification.  Ansible did not verify that the
    server hostname matches a domain name in the subject's Common Name
    (CN) or subjectAltName field of the X.509 certificate, which allows
    man-in-the-middle attackers to spoof SSL servers via an arbitrary
    valid certificate.


    A symlink attack that allows local users to escape a restricted
    environment (chroot or jail) via a symlink attack.


    A fix potential arbitrary code execution resulting from reading
    ansible.cfg from a world-writable current working directory.  This
    condition now causes ansible to emit a warning and ignore the
    ansible.cfg in the world-writable current working directory.


    Information disclosure through unexpected variable substitution.

For Debian 8 "Jessie", these problems have been fixed in version

We recommend that you upgrade your ansible packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: