First published: Wed Apr 22 2020(Updated: )
Ansible is a simple model-driven configuration management, multi-node<br>deployment, and remote-task execution system. Ansible works over SSH and<br>does not require any software or daemons to be installed on remote nodes.<br>Extension modules can be written in any language and are transferred to<br>managed machines automatically.<br>The following packages have been upgraded to a newer upstream version:<br>ansible (2.8.11)<br>Bug Fix(es):<br><li> CVE-2020-10684 Ansible: code injection when using ansible_facts as a</li> subkey<br><li> CVE-2020-10685 Ansible: modules which use files encrypted with vault are</li> not properly cleaned up<br><li> CVE-2020-1733 ansible: insecure temporary directory when running</li> become_user from become directive<br><li> CVE-2020-1735 ansible: path injection on dest parameter in fetch module</li> <li> CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not</li> check extracted path<br><li> CVE-2020-1739 ansible: svn module leaks password when specified as a</li> parameter<br><li> CVE-2020-1740 ansible: secrets readable after ansible-vault edit</li> <li> CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and</li> ldap_entry modules<br>See:<br><a href="https://github.com/ansible/ansible/blob/v2.8.11/changelogs/CHANGELOG-v2.8.rst" target="_blank">https://github.com/ansible/ansible/blob/v2.8.11/changelogs/CHANGELOG-v2.8.rst</a> for details on bug fixes in this release.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ansible | <2.8.11-1.el8ae | 2.8.11-1.el8ae |
redhat/ansible | <2.8.11-1.el8ae | 2.8.11-1.el8ae |
redhat/ansible | <2.8.11-1.el7ae | 2.8.11-1.el7ae |
redhat/ansible | <2.8.11-1.el7ae | 2.8.11-1.el7ae |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.