openSUSE Security Update : ansible (openSUSE-2019-1635)

medium Nessus Plugin ID 126326
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for ansible fixes the following issues :

Ansible was updated to version 2.8.1 :

Full changelog is at /usr/share/doc/packages/ansible/changelogs/

- Bugfixes

- ACI - DO not encode query_string

- ACI modules - Fix non-signature authentication

- Add missing directory provided via ``--playbook-dir`` to adjacent collection loading

- Fix 'Interface not found' errors when using eos_l2_interface with non-existent interfaces configured

- Fix cannot get credential when `source_auth` set to `credential_file`.

- Fix netconf_config backup string issue

- Fix privilege escalation support for the docker connection plugin when credentials need to be supplied (e.g. sudo with password).

- Fix vyos cli prompt inspection

- Fixed loading namespaced documentation fragments from collections.

- Fixing bug came up after running cnos_vrf module against coverity.

- Properly handle data importer failures on PVC creation, instead of timing out.

- To fix the ios static route TC failure in CI

- To fix the nios member module params

- To fix the nios_zone module idempotency failure

- add terminal initial prompt for initial connection

- allow include_role to work with ansible command

- allow python_requirements_facts to report on dependencies containing dashes

- asa_config fix

- azure_rm_roledefinition - fix a small error in build scope.

- azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network peering.

- cgroup_perf_recap - When not using file_per_task, make sure we don't prematurely close the perf files

- display underlying error when reporting an invalid ``tasks:`` block.

- dnf - fix wildcard matching for state: absent

- docker connection plugin - accept version ``dev`` as 'newest version' and print warning.

- docker_container - ``oom_killer`` and ``oom_score_adj`` options are available since docker-py 1.8.0, not 2.0.0 as assumed by the version check.

- docker_container - fix network creation when ``networks_cli_compatible`` is enabled.

- docker_container - use docker API's ``restart`` instead of ``stop``/``start`` to restart a container.

- docker_image - if ``build`` was not specified, the wrong default for ``build.rm`` is used.

- docker_image - if ``nocache`` set to ``yes`` but not ``build.nocache``, the module failed.

- docker_image - module failed when ``source: build`` was set but ``build.path`` options not specified.

- docker_network module - fix idempotency when using ``aux_addresses`` in ``ipam_config``.

- ec2_instance - make Name tag idempotent

- eos: don't fail modules without become set, instead show message and continue

- eos_config: check for session support when asked to 'diff_against: session'

- eos_eapi: fix idempotency issues when vrf was unspecified.

- fix bugs for ce - more info see

- fix incorrect uses of to_native that should be to_text instead.

- hcloud_volume - Fix idempotency when attaching a server to a volume.

- ibm_storage - Added a check for null fields in ibm_storage utils module.

- include_tasks - whitelist ``listen`` as a valid keyword

- k8s - resource updates applied with force work correctly now

- keep results subset also when not no_log.

- meraki_switchport - improve reliability with native VLAN functionality.

- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and clearing functionality

- netapp_e_volumes - fix workload profileId indexing when no previous workload tags exist on the storage array.

- nxos_acl some platforms/versions raise when no ACLs are present

- nxos_facts fix <https://github.com/ansible/ansible/pull/57009>

- nxos_file_copy fix passwordless workflow

- nxos_interface Fix admin_state check for n6k

- nxos_snmp_traps fix group all for N35 platforms

- nxos_snmp_user fix platform fixes for get_snmp_user

- nxos_vlan mode idempotence bug

- nxos_vlan vlan names containing regex ctl chars should be escaped

- nxos_vtp_* modules fix n6k issues

- openssl_certificate - fix private key passphrase handling for ``cryptography`` backend.

- openssl_pkcs12 - fixes crash when private key has a passphrase and the module is run a second time.

- os_stack - Apply tags conditionally so that the module does not throw up an error when using an older distro of openstacksdk

- pass correct loading context to persistent connections other than local

- pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux

- postgresql - added initial SSL related tests

- postgresql - added missing_required_libs, removed excess param mapping

- postgresql - move connect_to_db and get_pg_version into module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514)

- postgresql_db - add note to the documentation about state dump and the incorrect rc (https://github.com/ansible/ansible/pull/57297)

- postgresql_db - fix for postgresql_db fails if stderr contains output

- postgresql_ping - fixed a typo in the module documentation

- preserve actual ssh error when we cannot connect.

- route53_facts - the module did not advertise check mode support, causing it not to be run in check mode.

- sysctl: the module now also checks the output of STDERR to report if values are correctly set (https://github.com/ansible/ansible/pull/55695)

- ufw - correctly check status when logging is off

- uri - always return a value for status even during failure

- urls - Handle redirects properly for IPv6 address by not splitting on ``:`` and rely on already parsed hostname and port values

- vmware_vm_facts - fix the support with regular ESXi

- vyos_interface fix <https://github.com/ansible/ansible/pull/57169>

- we don't really need to template vars on definition as we do this on demand in templating.

- win_acl - Fix qualifier parser when using UNC paths -

- win_hostname - Fix non netbios compliant name handling

- winrm - Fix issue when attempting to parse CLIXML on send input failure

- xenserver_guest - fixed an issue where VM whould be powered off even though check mode is used if reconfiguration requires VM to be powered off.

- xenserver_guest - proper error message is shown when maximum number of network interfaces is reached and multiple network interfaces are added at once.

- yum - Fix false error message about autoremove not being supported

- yum - fix failure when using ``update_cache`` standalone

- yum - handle special '_none_' value for proxy in yum.conf and .repo files

Update to version 2.8.0

Major changes :

- Experimental support for Ansible Collections and content namespacing - Ansible content can now be packaged in a collection and addressed via namespaces. This allows for easier sharing, distribution, and installation of bundled modules/roles/plugins, and consistent rules for accessing specific content via namespaces.

- Python interpreter discovery - The first time a Python module runs on a target, Ansible will attempt to discover the proper default Python interpreter to use for the target platform/version (instead of immediately defaulting to /usr/bin/python). You can override this behavior by setting ansible_python_interpreter or via config. (see https://github.com/ansible/ansible/pull/50163)

- become - The deprecated CLI arguments for --sudo,
--sudo-user,

--ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in favor of the more generic --become,
--become-user, --become-method, and

--ask-become-pass.

- become - become functionality has been migrated to a plugin architecture, to allow customization of become functionality and 3rd party become methods (https://github.com/ansible/ansible/pull/50991)

- addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837

For the full changelog see /usr/share/doc/packages/ansible/changelogs or online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELO G-v2.8.rst

Solution

Update the affected ansible package.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1109957

https://bugzilla.opensuse.org/show_bug.cgi?id=1112959

https://bugzilla.opensuse.org/show_bug.cgi?id=1118896

https://bugzilla.opensuse.org/show_bug.cgi?id=1126503

http://www.nessus.org/u?038dc6b5

https://github.com/ansible/ansible/pull/50163

https://github.com/ansible/ansible/pull/50991

https://github.com/ansible/ansible/pull/55514

https://github.com/ansible/ansible/pull/55695

https://github.com/ansible/ansible/pull/57009

https://github.com/ansible/ansible/pull/57169

https://github.com/ansible/ansible/pull/57297

Plugin Details

Severity: Medium

ID: 126326

File Name: openSUSE-2019-1635.nasl

Version: 1.6

Type: local

Agent: unix

Published: 6/28/2019

Updated: 8/9/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2018-16876

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ansible, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/27/2019

Vulnerability Publication Date: 10/23/2018

Reference Information

CVE: CVE-2018-16837, CVE-2018-16859, CVE-2018-16876, CVE-2019-3828