CVE-2020-25635: A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. CVE-2020-25636: A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. Patch for both: https://github.com/ansible-collections/community.aws/commit/921bd53103c2b543e95c9e6b863702db3ff54d0c Maintainers, please advise if Gentoo versions of Ansible are affected.
patch doesn't apply cleanly, I think ansible-2.10.0-r1 is hit by this. Modified paths in patch.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d23da514953be1ad0fd02a9aab9e5a24ca3449d commit 7d23da514953be1ad0fd02a9aab9e5a24ca3449d Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-10-16 02:57:56 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-10-16 02:58:10 +0000 app-admin/ansible: Fix CVE Bug: https://bugs.gentoo.org/749369 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-admin/ansible/ansible-2.10.0-r2.ebuild | 82 ++++++++++++++++++++++ .../files/ansible-2.10.0-CVE-2020-25635-6.patch | 54 ++++++++++++++ 2 files changed, 136 insertions(+)
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > patch doesn't apply cleanly, I think ansible-2.10.0-r1 is hit by this. > Modified paths in patch. Only 2.10?
probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with older releases. Ansible recently split their package to ansible and ansible-base which has been... annoying to deal with.
(In reply to Matthew Thode ( prometheanfire ) from comment #4) > probably older, but I'd rather stabilize 2.10.0-r2 than try to mess with > older releases. Ansible recently split their package to ansible and > ansible-base which has been... annoying to deal with. That does make it easier :) Please continue with stabilization when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d4eb2055684936f71e5b2f2317ca43ca509ed8 commit 28d4eb2055684936f71e5b2f2317ca43ca509ed8 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-10-16 03:25:56 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-10-16 03:25:56 +0000 app-admin/ansible: clean up for sec bug Bug: https://bugs.gentoo.org/749369 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-admin/ansible/Manifest | 2 - app-admin/ansible/ansible-2.10.0-r1.ebuild | 80 ------------------------------ app-admin/ansible/ansible-2.9.13.ebuild | 69 -------------------------- app-admin/ansible/ansible-2.9.14.ebuild | 69 -------------------------- 4 files changed, 220 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=251de145bd1920939f0f64e33f269b156eea510d commit 251de145bd1920939f0f64e33f269b156eea510d Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-10-16 03:25:00 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-10-16 03:25:00 +0000 app-admin/ansible: 2.10.0-r2 stable amd64/arm64/x86 Bug: https://bugs.gentoo.org/749369 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-admin/ansible/ansible-2.10.0-r2.ebuild | 2 +- app-admin/ansible/ansible-2.9.14.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
Thanks! C4 -> noglsa. Closing.