Bug 1243468 (CVE-2015-3908, CVE-2015-6240)

Summary: CVE-2015-6240 CVE-2015-3908 ansible: multiple issues fixed in 1.9.2
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: a.badger, athmanem, kevin, kupo, maxim
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Ansible 1.9.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-12 07:05:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1243469, 1243470    
Bug Blocks:    

Comment 1 Vasyl Kaigorodov 2015-07-15 13:57:10 UTC
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1243469]
Affects: epel-all [bug 1243470]

Comment 2 Vasyl Kaigorodov 2015-07-15 14:06:56 UTC
Additionally it was reported that versions of Ansible prior to 1.9.2 fail to adequately validate HTTPS certificates when using the get_url and uri 
modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections.

The fix for this problem has been released as part of Ansible 1.9.2.

The Ansible playbook below is a proof-of-concept that can be used to safely validate the incorrect behaviour:

  - name: a playbook demonstrating MITM in ansible
    connection: local
    - name: this should fail
      get_url: url=https://kennethreitz.org/ dest="/tmp/shouldnotexist.html”

This playbook attempts to download a HTML file from a site presenting a certificate that is valid, but not for the site 
in question. Versions of Ansible from 1.9.2 onward correctly fail to validate the certificate, but earlier versions 
will download the file regardless and the playbook will successfully exit.

This issue was assigned CVE-2015-3908:

Comment 3 Adam Mariš 2015-08-18 12:09:52 UTC
Another CVE assignment:

Comment 4 Toshio Ernie Kuratomi 2015-08-18 16:40:25 UTC
Adam Mariš  - thanks for watching this -- I'm not on oss-seclist but I ocncur with their assessment (There's only one bug.  that bug was present in several ansible connection modules. the fix for each was roughly the same code.  Only the first commit hash is part of the fix for the security issue.  The other commits were only to fix non-security bugs and limitations in the initial fix).

If anyone here would like to let oss-sec know I agree with their assessment I would be grateful.