—

PYSEC-2018-44

Details

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 2.7 Fixed in: 2.7.1

Fix pip install --upgrade 'ansible>=2.5.11'

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837 [REPORT]
http://www.securityfocus.com/bid/105700 [WEB]
https://access.redhat.com/errata/RHSA-2018:3463 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:3462 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:3461 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:3460 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:3505 [ADVISORY]
https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html [WEB]
https://access.redhat.com/security/cve/cve-2018-16837 [WEB]
https://www.debian.org/security/2019/dsa-4396 [ADVISORY]
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html [WEB]
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html [WEB]
https://usn.ubuntu.com/4072-1/ [WEB]
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html [WEB]