Debian Security Advisory
DSA-4396-1 ansible -- security update
- Date Reported:
- 19 Feb 2019
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-10855, CVE-2018-10875, CVE-2018-16837, CVE-2018-16876, CVE-2019-3828.
- More information:
Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system:
The no_log task flag wasn't honored, resulting in an information leak.
ansible.cfg was read from the current working directory.
The user module leaked parameters passed to ssh-keygen to the process environment.
The fetch module was susceptible to path traversal.
For the stable distribution (stretch), these problems have been fixed in version 18.104.22.168-2+deb9u1.
We recommend that you upgrade your ansible packages.
For the detailed security status of ansible please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ansible
- CVE-2018-10855 / CVE-2018-16876