[ubuntu/xenial-updates] ansible (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Wed Jul 17 19:03:56 UTC 2019

ansible ( xenial-security; urgency=medium

  * SECURITY UPDATE: Fix vulnerability where a local user could use symlinks
    to write arbitrary files or gain privileges.
    - debian/patches/CVE-2016-3096.patch: Do not use a predictable filenames
      in the LXC plugin.
    - CVE-2016-3096
  * SECURITY UPDATE: Avoid unicode strings injection.
    - debian/patches/CVE-2017-7481.patch: Fixing security issue with lookup
      returns not tainting the jinja2 environment.
    - CVE-2017-7481
  * SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
    to a plugin or a module path under control and execute arbitrary code.
    - debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
      writable cwd.
    - CVE-2018-10875
  * SECURITY UPDATE: Avoid information disclosure in log and command line.
    - debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
      on command line.
    - CVE-2018-16837

Date: 2019-07-16 15:11:13.706260+00:00
Changed-By: Paulo Flabiano Smorigo <pfsmorigo at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list