USN-7330-2: Ansible regression

Read Time:1 Minute, 54 Second

USN-7330-1 fixed vulnerabilities in Ansible. The update introduced a
regression when attempting to install Ansible on Ubuntu 16.04 LTS.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Ansible did not properly verify certain fields
of X.509 certificates. An attacker could possibly use this issue to
spoof SSL servers if they were able to intercept network communications.
This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)

Martin Carpenter discovered that certain connection plugins for Ansible
did not properly restrict users. An attacker with local access could
possibly use this issue to escape a restricted environment via symbolic
links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)

Robin Schneider discovered that Ansible’s apt_key module did not properly
verify key fingerprints. A remote attacker could possibly use this issue
to perform key injection, leading to the access of sensitive information.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-8614)

It was discovered that Ansible would expose passwords in certain
instances. An attacker could possibly use specially crafted input
related to this issue to access sensitive information. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)

It was discovered that Ansible incorrectly logged sensitive information.
An attacker with local access could possibly use this issue to access
sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)

It was discovered that Ansible’s solaris_zone module accepted input
without performing input checking. A remote attacker could possibly use
this issue to enable the execution of arbitrary code. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)

It was discovered that Ansible did not generate sufficiently random
values, which could lead to the exposure of passwords. An attacker
could possibly use this issue to access sensitive information. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2020-10729)

It was discovered that Ansible’s svn module could disclose passwords to
users within the same node. An attacker could possibly use this issue to
access sensitive information. (CVE-2020-1739)

Major Online Platform for Child Exploitation Dismantled

CrushFTP Vulnerability Exploited Following Disclosure Issues

HellCat ransomware: what you need to know

Amateur Hacker Leverages Russian Bulletproof Hosting Server to Spread Malware

Web 3.0 Requires Data Integrity

Sensitive Data Breached in Highline Schools Ransomware Incident

Over Half of Attacks on Electricity and Water Firms Are Destructive

Nearly 600 Phishing Domains Emerge Following Bybit Heist

CISO: Chief Cybersecurity Warrior Leader

USN-7415-1: Linux kernel vulnerabilities

Kubernetes Ingress-nginx Controller RCE

perl-Compress-Raw-Lzma-2.212-6.fc41 xz-5.8.1-1.fc41.1

perl-Compress-Raw-Lzma-2.209-9.fc40 xz-5.8.1-1.1.fc40

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution

A Vulnerability in Ivanti Products Could Allow for Remote Code Execution