Fedora Linux 8773 Published by

An ansible security update has been released for Fedora 30.



SECURITY: Fedora 30 Update: ansible-2.9.7-1.fc30


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-1b6ce91e37
2020-04-27 03:06:12.192753
--------------------------------------------------------------------------------

Name : ansible
Product : Fedora 30
Version : 2.9.7
Release : 1.fc30
URL :   http://ansible.com
Summary : SSH-based configuration management, deployment, and task execution system
Description :
Ansible is a radically simple model-driven configuration management,
multi-node deployment, and remote task execution system. Ansible works
over SSH and does not require any software or daemons to be installed
on remote nodes. Extension modules can be written in any language and
are transferred to managed machines automatically.

--------------------------------------------------------------------------------
Update Information:

Update to upstream bugfix and security update 2.9.7. See
  https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
for a detailed list of changes.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 17 2020 Kevin Fenzi - 2.9.7-1
- Update to 2.9.7.
- fixes CVE-2020-1733 CVE-2020-1735 CVE-2020-1740 CVE-2020-1746 CVE-2020-1753 CVE-2020-10684 CVE-2020-10685 CVE-2020-10691
- Drop the -s from the shebang to allow ansible to use locally installed modules.
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1805318 - CVE-2020-1740 ansible: secrets readable after ansible-vault edit [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1805318
[ 2 ] Bug #1805333 - CVE-2020-1735 ansible: path injection on dest parameter in fetch module [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1805333
[ 3 ] Bug #1805341 - CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1805341
[ 4 ] Bug #1808471 - CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_entry modules [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1808471
[ 5 ] Bug #1811934 - CVE-2020-1753 ansible: kubectl connection plugin leaks sensitive information [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1811934
[ 6 ] Bug #1816310 - CVE-2020-10684 ansible: code injection when using ansible_facts as a subkey [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1816310
[ 7 ] Bug #1816313 - CVE-2020-10685 ansible: modules which use files encrypted with vault are not properly cleaned up [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1816313
[ 8 ] Bug #1817980 - CVE-2020-10691 ansible: archive traversal vulnerability in ansible-galaxy collection install [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=1817980
[ 9 ] Bug #1825070 - ansible-2.9.7 is available
  https://bugzilla.redhat.com/show_bug.cgi?id=1825070
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-1b6ce91e37' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys