Changelog
ansible (2.5.1+dfsg-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Fix a vulnerability in inventory variables where an
attacker could run arbitrary code.
- debian/patches/CVE-2018-10874.patch: Avoid loading vars on unspecified
basedir (cwd).
- CVE-2018-10874
* SECURITY UPDATE: Fix a flaw in ansible.cfg where an attacker could point
to a plugin or a module path under control and execute arbitrary code.
- debian/patches/CVE-2018-10875.patch: Ignore ansible.cfg in world
writable cwd.
- CVE-2018-10875
* SECURITY UPDATE: Avoid information disclosure in log and command line.
- debian/patches/CVE-2018-10855.patch: no_log even when task_result
doesn't provide key.
- debian/patches/CVE-2018-16837.patch: user: Don't pass ssh_key_passphrase
on command line.
- debian/patches/CVE-2018-16876.patch: Ensure ssh retry respects no log.
- CVE-2018-10855
- CVE-2018-16837
- CVE-2018-16876
* SECURITY UPDATE: Fix traversal path vulnerability which allows copying
and overwriting files outside of the specified destination in the local
ansible controller host, by not restricting an absolute path.
- debian/patches/CVE-2019-3828.patch: Disallow use of remote home
directories containing ".." in their path
- CVE-2019-3828
* SECURITY UPDATE: Sensitive information could be exposed to remote node.
- debian/patches/CVE-2019-10156-1.patch: Don't pass locals.
- debian/patches/CVE-2019-10156-2.patch: Fixed tests.
- CVE-2019-10156
-- Paulo Flabiano Smorigo <email address hidden> Thu, 11 Jul 2019 17:55:43 -0300