An update for ansible is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2511 Final 1.0 1.0 2024-12-06 Initial 2024-12-06 2024-12-06 openEuler SA Tool V1.0 2024-12-06 ansible security update An update for ansible is now available for openEuler-22.03-LTS-SP1 Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Security Fix(es):Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %if 0 Provides: ansible-python3 = - Obsoletes: ansible-python3 < - BuildRequires: python3-devel python3-setuptools BuildRequires: python3-PyYAML python3-paramiko python3-crypto python3-packaging BuildRequires: python3-pexpect python3-winrm BuildRequires: git-core %if %with_docs BuildRequires: python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif BuildRequires: python3-six python3-nose python3-pytest python3-pytest-xdist BuildRequires: python3-pytest-mock python3-requests python3-coverage python3-mock BuildRequires: python3-boto3 python3-botocore python3-passlib python3-jinja2 Requires: python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six Requires: python3-jinja2 sshpass python3-jmespath %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. This package installs versions of ansible that execute on Python3. %endif Security Fix(es): A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.(CVE-2024-8775) The ansible-core `user` module contains an exploitable flaw that can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. Requirements to exploit (if any) - Someone with root privileges must use the `user` module with the`generate_ssh_key` option (disabled by default) and targeting an unprivileged user. - Access to the same unprivileged user on a system managed by the above automation.(CVE-2024-9902) An update for ansible is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ansible https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2511 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-8775 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-9902 https://nvd.nist.gov/vuln/detail/CVE-2024-8775 https://nvd.nist.gov/vuln/detail/CVE-2024-9902 openEuler-22.03-LTS-SP1 ansible-2.9.27-5.oe2203sp1.noarch.rpm ansible-help-2.9.27-5.oe2203sp1.noarch.rpm ansible-2.9.27-5.oe2203sp1.src.rpm A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions. 2024-12-06 CVE-2024-8775 openEuler-22.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ansible security update 2024-12-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2511 A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. 2024-12-06 CVE-2024-9902 openEuler-22.03-LTS-SP1 Medium 6.3 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L ansible security update 2024-12-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2511