[ubuntu/bionic-security] ansible 2.5.1+dfsg-1ubuntu0.1 (Accepted)

[Paulo Flabiano Smorigo]

ansible (2.5.1+dfsg-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Fix a vulnerability in inventory variables where an
    attacker could run arbitrary code.
    - debian/patches/CVE-2018-10874.patch: Avoid loading vars on unspecified
      basedir (cwd).
    - CVE-2018-10874
  * SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
    to a plugin or a module path under control and execute arbitrary code.
    - debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
      writable cwd.
    - CVE-2018-10875
  * SECURITY UPDATE: Avoid information disclosure in log and command line.
    - debian/patches/CVE-2018-10855.patch: no_log even when task_result
      doesn't provide key.
    - debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
      on command line.
    - debian/patches/CVE-2018-16876.patch: Ensure ssh retry respects no log.
    - CVE-2018-10855
    - CVE-2018-16837
    - CVE-2018-16876
  * SECURITY UPDATE: Fix traversal path vulnerability which allows copying
    and overwriting files outside of the specified destination in the local
    ansible controller host, by not restricting an absolute path.
    - debian/patches/CVE-2019-3828.patch: Disallow use of remote home
      directories containing ".." in their path
    - CVE-2019-3828
  * SECURITY UPDATE: Sensitive information could be exposed to remote node.
    - debian/patches/CVE-2019-10156-1.patch: Don't pass locals.
    - debian/patches/CVE-2019-10156-2.patch: Fixed tests.
    - CVE-2019-10156

Date: 2019-07-16 15:08:14.825830+00:00
Changed-By: Paulo Flabiano Smorigo <pfsmorigo at canonical.com>
https://launchpad.net/ubuntu/+source/ansible/2.5.1+dfsg-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.