Bug 639694 (CVE-2017-7550)

Summary:	<app-admin/ansible-2.4.1: Information disclosure vulnerability
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	calchan, chainsaw, prometheanfire
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2017-12-04 01:43:43 UTC

CVE-2017-7550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7550):
  A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before
  2.4.1) passed certain parameters to the jenkins_plugin module. Remote
  attackers could use this flaw to expose sensitive information from a remote
  host's logs. This flaw was fixed by not allowing passwords to be specified
  in the "params" argument, and noting this in the module documentation.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-12-04 01:44:28 UTC

@Maintainers please call for stabilization when ready. 

Thank you

Comment 2 Matthew Thode ( prometheanfire ) archtester

2017-12-04 01:50:23 UTC

cleaned up in 40bf1a5a5a1af94674217c21ea2a92a6ee7d4da5

2.4.1 was already stable (which by the description is fixed).

Comment 3 Patrice Clement gentoo-dev

2018-05-22 21:48:06 UTC

Hi Sec team.

Can someone close this bug? I think this is no longer relevant and outdated. The latest stable version available in the main repo is 2.5.2. Thanks.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2018-05-22 22:02:26 UTC

(In reply to Patrice Clement from comment #3)
> Hi Sec team.
> 
> Can someone close this bug? I think this is no longer relevant and outdated.
> The latest stable version available in the main repo is 2.5.2. Thanks.

Thanks, Patrice!