Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.
https://www.securityfocus.com/bid/68234
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md