Debian Bug report logs -
#912297
ansible: CVE-2018-16837
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Mon, 29 Oct 2018 21:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Mon, 29 Oct 2018 21:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ansible
Version: 1.7.2+dfsg-2
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ansible.
CVE-2018-16837[0]:
| Ansible "User" module leaks any data which is passed on as a parameter
| to ssh-keygen. This could lean in undesirable situations such as
| passphrases credentials passed as a parameter for the ssh-keygen
| executable. Showing those credentials in clear text form for every
| user which have access just to the process list.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply sent
to Ivo De Decker <ivodd@debian.org>
:
You have taken responsibility.
(Mon, 29 Oct 2018 22:12:07 GMT) (full text, mbox, link).
Notification sent
to Chris Lamb <lamby@debian.org>
:
Bug acknowledged by developer.
(Mon, 29 Oct 2018 22:12:07 GMT) (full text, mbox, link).
Message #10 received at 912297-done@bugs.debian.org (full text, mbox, reply):
Version: 2.7.1+dfsg-1
Hi,
On Mon, Oct 29, 2018 at 05:50:54PM -0400, Chris Lamb wrote:
> The following vulnerability was published for ansible.
>
> CVE-2018-16837[0]:
> | Ansible "User" module leaks any data which is passed on as a parameter
> | to ssh-keygen. This could lean in undesirable situations such as
> | passphrases credentials passed as a parameter for the ssh-keygen
> | executable. Showing those credentials in clear text form for every
> | user which have access just to the process list.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
changelogs/CHANGELOG-v2.7.rst
- user module - do not pass ssh_key_passphrase on cmdline (CVE-2018-16837)
This wasn't mentioned in the debian changelog, however.
Closing.
Ivo
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Tue, 30 Oct 2018 04:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Tue, 30 Oct 2018 04:39:02 GMT) (full text, mbox, link).
Message #15 received at 912297@bugs.debian.org (full text, mbox, reply):
Hi Ivo,
> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
[..]
> - user module - do not pass ssh_key_passphrase on cmdline
> (CVE-2018-16837)
Thanks for providing this and no problem that this wasn't in the
changelog.
Security team: This still affects stretch and jessie as I unless
I'm missing something - would you like me to prepare an upload for
stable? I'm happy to take the LTS side of things.
(If so Ivo, can I push these to some VCS? I note it is in collab-
maint but I thought I might check...)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Tue, 30 Oct 2018 09:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ivo De Decker <ivodd@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Tue, 30 Oct 2018 09:36:04 GMT) (full text, mbox, link).
Message #22 received at 912297@bugs.debian.org (full text, mbox, reply):
Hi Chris,
On 10/30/2018 05:35 AM, Chris Lamb wrote:
>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> [..]
>> - user module - do not pass ssh_key_passphrase on cmdline
>> (CVE-2018-16837)
>
> Thanks for providing this and no problem that this wasn't in the
> changelog.
>
> Security team: This still affects stretch and jessie as I unless
> I'm missing something - would you like me to prepare an upload for
> stable? I'm happy to take the LTS side of things.
>
> (If so Ivo, can I push these to some VCS? I note it is in collab-
> maint but I thought I might check...)
Just to be clear: I'm not involved in packaging ansible. I just noticed
the bug and saw it was fixed upstream, so I closed the bug to make that
clear.
Cheers,
Ivo
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Sun, 04 Nov 2018 11:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Sun, 04 Nov 2018 11:21:03 GMT) (full text, mbox, link).
Message #27 received at 912297@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> Security team: This still affects stretch and jessie [unless]
> I'm missing something - would you like me to prepare an upload for
> stable? I'm happy to take the LTS side of things.
Gentle ping on this?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Wed, 07 Nov 2018 21:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Wed, 07 Nov 2018 21:57:03 GMT) (full text, mbox, link).
Message #32 received at 912297@bugs.debian.org (full text, mbox, reply):
On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
> Hi Ivo,
>
> > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> [..]
> > - user module - do not pass ssh_key_passphrase on cmdline
> > (CVE-2018-16837)
>
> Thanks for providing this and no problem that this wasn't in the
> changelog.
>
> Security team: This still affects stretch and jessie as I unless
> I'm missing something - would you like me to prepare an upload for
> stable? I'm happy to take the LTS side of things.
We can fix that one in a DSA, but should also fix CVE-2018-10875
and CVE-2018-10874, then.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Wed, 07 Nov 2018 22:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Wed, 07 Nov 2018 22:24:04 GMT) (full text, mbox, link).
Message #37 received at 912297@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
> > > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> > [..]
> > > - user module - do not pass ssh_key_passphrase on cmdline
> > > (CVE-2018-16837)
[…]
> We can fix that one in a DSA, but should also fix CVE-2018-10875
> and CVE-2018-10874, then.
Cool. I will therefore leave this with the stable security team for
now but will handle CVE-2018-16837 in jessie LTS.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Thu, 08 Nov 2018 11:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Lee Garrett <debian@rocketjump.eu>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Thu, 08 Nov 2018 11:00:05 GMT) (full text, mbox, link).
Message #42 received at 912297@bugs.debian.org (full text, mbox, reply):
Hi,
sorry for the late response. CVE-2018-16837 should be fairly straight-forward
to fix in stretch and jessie.
For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
it to the git stretch branch tomorrow (not on my work machine right now).
For CVE-2018-10874, it's not clear if it affects stable. The inventory module
was completely rewritten in (IIRC) ansible 2.5, so it won't be a
straight-forward patch.
Regards,
Lee
On 07/11/2018 22:55, Moritz Mühlenhoff wrote:
> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
>> Hi Ivo,
>>
>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
>> [..]
>>> - user module - do not pass ssh_key_passphrase on cmdline
>>> (CVE-2018-16837)
>>
>> Thanks for providing this and no problem that this wasn't in the
>> changelog.
>>
>> Security team: This still affects stretch and jessie as I unless
>> I'm missing something - would you like me to prepare an upload for
>> stable? I'm happy to take the LTS side of things.
>
> We can fix that one in a DSA, but should also fix CVE-2018-10875
> and CVE-2018-10874, then.
>
> Cheers,
> Moritz
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Thu, 08 Nov 2018 18:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Thu, 08 Nov 2018 18:39:03 GMT) (full text, mbox, link).
Message #47 received at 912297@bugs.debian.org (full text, mbox, reply):
On Thu, Nov 08, 2018 at 11:51:49AM +0100, Lee Garrett wrote:
> Hi,
>
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
>
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch tomorrow (not on my work machine right now).
Thanks, can you ping us when ready?
> For CVE-2018-10874, it's not clear if it affects stable. The inventory module
> was completely rewritten in (IIRC) ansible 2.5, so it won't be a
> straight-forward patch.
I looked into this and 2.2.x in fact doesn't seem to be affected (as opposed to
2.4 onwards). I'll update the security tracker.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Sat, 10 Nov 2018 23:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Lee Garrett <debian@rocketjump.eu>, 912297@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Sat, 10 Nov 2018 23:18:06 GMT) (full text, mbox, link).
Message #52 received at 912297@bugs.debian.org (full text, mbox, reply):
Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
in question I have is for CVE-2018-10855, which is already checked in on the
stretch branch of the packaging repo.
For some reason the security tracker has this CVE marked as "not affected",
although I could reproduce the issue on stretch.
On 08/11/2018 11:51, Lee Garrett wrote:
> Hi,
>
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
>
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch tomorrow (not on my work machine right now).
>
> For CVE-2018-10874, it's not clear if it affects stable. The inventory module
> was completely rewritten in (IIRC) ansible 2.5, so it won't be a
> straight-forward patch.
>
> Regards,
> Lee
>
> On 07/11/2018 22:55, Moritz Mühlenhoff wrote:
>> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
>>> Hi Ivo,
>>>
>>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
>>> [..]
>>>> - user module - do not pass ssh_key_passphrase on cmdline
>>>> (CVE-2018-16837)
>>>
>>> Thanks for providing this and no problem that this wasn't in the
>>> changelog.
>>>
>>> Security team: This still affects stretch and jessie as I unless
>>> I'm missing something - would you like me to prepare an upload for
>>> stable? I'm happy to take the LTS side of things.
>>
>> We can fix that one in a DSA, but should also fix CVE-2018-10875
>> and CVE-2018-10874, then.
>>
>> Cheers,
>> Moritz
>>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Sun, 11 Nov 2018 11:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Sun, 11 Nov 2018 11:27:03 GMT) (full text, mbox, link).
Message #57 received at 912297@bugs.debian.org (full text, mbox, reply):
On Sun, Nov 11, 2018 at 12:15:52AM +0100, Lee Garrett wrote:
> Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
> in question I have is for CVE-2018-10855, which is already checked in on the
> stretch branch of the packaging repo.
>
> For some reason the security tracker has this CVE marked as "not affected",
> although I could reproduce the issue on stretch.
Thanks, I've updated the Security Tracker, it should soon show up as affected again.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>
:
Bug#912297
; Package ansible
.
(Mon, 12 Nov 2018 11:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>
.
(Mon, 12 Nov 2018 11:48:05 GMT) (full text, mbox, link).
Message #62 received at 912297@bugs.debian.org (full text, mbox, reply):
Hi all,
> >>>> - user module - do not pass ssh_key_passphrase on cmdline
> >>>> (CVE-2018-16837)
Just a heads-up that I've fixed CVE-2018-16837 (#912297) in jessie,
pushed this to the "jessie" branch on Salsa and tagged it as
"debian/1.7.2+dfsg-2+deb8u1".
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as fixed in versions ansible/2.2.1.0-2+deb9u1.
Request was from Ivo De Decker <ivodd@debian.org>
to control@bugs.debian.org
.
(Fri, 14 Jun 2019 19:06:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.