MGASA-2019-0309

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0309.html

Import Source

https://advisories.mageia.org/MGASA-2019-0309.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2019-0309

Related

Published

2019-11-02T16:54:34Z

Modified

2019-11-02T16:34:52Z

Summary

Updated ansible packages fix security vulnerabilities

Details

Updated ansible package fixes security vulnerabilities:

ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them (CVE-2019-10206).

Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process (CVE-2019-14846).

When a module has an argumentspec with sub parameters marked as nolog, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task (CVE-2019-14858).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / ansible

Package

Name: ansible
Purl: pkg:rpm/mageia/ansible?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.14-1.mga7

Ecosystem specific

{
    "section": "core"
}