Mageia alert MGASA-2020-0060 (ansible)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
             
 
updates-announce@ml.mageia.org 
Subject:
             
 
[updates-announce] MGASA-2020-0060: Updated ansible package fixes security vulnerabilities 
Date:
             
 
Tue, 28 Jan 2020 08:53:55 +0100
Message-ID:
             
 
<20200128075355.B14779F6EB@duvel.mageia.org>
MGASA-2020-0060 - Updated ansible package fixes security vulnerabilities

Publication date: 28 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0060.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-14904,
     CVE-2019-14905

Description:
A flaw was found in the solaris_zone module from the Ansible Community
modules. When setting the name for the zone on the Solaris host, the
zone name is checked by listing the process with the 'ps' bare command
on the remote machine. An attacker could take advantage of this flaw by
crafting the name of the zone and executing arbitrary commands in the
remote host (CVE-2019-14904).

A vulnerability in Ansible's nxos_file_copy module can be used to copy
files to a flash or bootflash on NXOS devices. Malicious code could
craft the filename parameter to perform OS command injections. This
could result in a loss of confidentiality of the system among other
issues (CVE-2019-14905).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26125
- https://github.com/ansible/ansible/blob/v2.7.16/changelog...
- https://access.redhat.com/errata/RHSA-2020:0217
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1...

SRPMS:
- 7/core/ansible-2.7.16-1.mga7