—

PYSEC-2020-201

Details

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 0 Fixed in: 1.5.5

Fix pip install --upgrade 'ansible>=1.5.5'

References

https://www.securityfocus.com/bid/68234 [WEB]
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md [WEB]