Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                          ansible security update
                                6 May 2020


        AusCERT Security Bulletin Summary

Product:           ansible
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Increased Privileges     -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1740 CVE-2020-1739 CVE-2020-1733

Reference:         ESB-2020.1407

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : ansible
Version        : 1.7.2+dfsg-2+deb8u3
CVE ID         : CVE-2019-14846 CVE-2020-1733 CVE-2020-1739 CVE-2020-1740
Debian Bug     : 942188

Several vulnerabilities were discovered in Ansible, a configuration
management, deployment, and task execution system.


    Ansible was logging at the DEBUG level which lead to a disclosure
    of credentials if a plugin used a library that logged credentials
    at the DEBUG level. This flaw does not affect Ansible modules, as
    those are executed in a separate process.


    A race condition flaw was found when running a playbook with an
    unprivileged become user. When Ansible needs to run a module with
    become user, the temporary directory is created in /var/tmp. This
    directory is created with "umask 77 && mkdir -p dir"; this
    operation does not fail if the directory already exists and is
    owned by another user. An attacker could take advantage to gain
    control of the become user as the target directory can be
    retrieved by iterating '/proc/pid/cmdline'.


    A flaw was found when a password is set with the argument
    "password" of svn module, it is used on svn command line,
    disclosing to other users within the same node. An attacker could
    take advantage by reading the cmdline file from that particular
    PID on the procfs.


    A flaw was found when using Ansible Vault for editing encrypted
    files. When a user executes "ansible-vault edit", another user on
    the same computer can read the old and new secret, as it is
    created in a temporary file with mkstemp and the returned file
    descriptor is closed and the method write_data is called to write
    the existing secret in the file. This method will delete the file
    before recreating it insecurely.

For Debian 8 "Jessie", these problems have been fixed in version

We recommend that you upgrade your ansible packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967