RHSA-2020:1542: Important: Ansible security and bug fix update (2.9.7)
First published: Wed Apr 22 2020(Updated: )
Ansible is a simple model-driven configuration management, multi-node<br>deployment, and remote-task execution system. Ansible works over SSH and<br>does not require any software or daemons to be installed on remote nodes.<br>Extension modules can be written in any language and are transferred to<br>managed machines automatically.<br>The following packages have been upgraded to a newer upstream version:<br>ansible (2.9.7)<br>Bug Fix(es):<br><li> CVE-2020-10684 Ansible: code injection when using ansible_facts as a</li> subkey<br><li> CVE-2020-10685 Ansible: modules which use files encrypted with vault are</li> not properly cleaned up<br><li> CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy</li> collection install<br><li> CVE-2020-1733 ansible: insecure temporary directory when running</li> become_user from become directive<br><li> CVE-2020-1735 ansible: path injection on dest parameter in fetch module</li> <li> CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not</li> check extracted path<br><li> CVE-2020-1739 ansible: svn module leaks password when specified as a</li> parameter<br><li> CVE-2020-1740 ansible: secrets readable after ansible-vault edit</li> <li> CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and</li> ldap_entry modules<br><li> CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive</li> information<br>See:<br><a href="https://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst" target="_blank">https://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst</a> for details on bug fixes in this release.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <2.9.7-1.el8ae | 2.9.7-1.el8ae |
| redhat/ansible | <2.9.7-1.el8ae | 2.9.7-1.el8ae |
| redhat/ansible-test | <2.9.7-1.el8ae | 2.9.7-1.el8ae |
| redhat/ansible | <2.9.7-1.el7ae | 2.9.7-1.el7ae |
| redhat/ansible | <2.9.7-1.el7ae | 2.9.7-1.el7ae |
| redhat/ansible-test | <2.9.7-1.el7ae | 2.9.7-1.el7ae |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1801735
- https://bugzilla.redhat.com/show_bug.cgi?id=1802085
- https://bugzilla.redhat.com/show_bug.cgi?id=1802154
- https://bugzilla.redhat.com/show_bug.cgi?id=1802178
- https://bugzilla.redhat.com/show_bug.cgi?id=1802193
- https://bugzilla.redhat.com/show_bug.cgi?id=1805491
- https://bugzilla.redhat.com/show_bug.cgi?id=1811008
- https://bugzilla.redhat.com/show_bug.cgi?id=1814627
- https://bugzilla.redhat.com/show_bug.cgi?id=1815519
- https://bugzilla.redhat.com/show_bug.cgi?id=1817161
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2020:1542 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2020:1542
- agent/software-canonical-lookup
- package-manager/redhat