"User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Acknowledgments: Name: Markus Teufelberger (mgIT Consulting)
Is there any more information on e.g. upstream fix for this issue? Upstream issue reference?
In reply to comment 4: > Is there any more information on e.g. upstream fix for this issue? Upstream > issue reference? Here it is: https://github.com/ansible/ansible/pull/47436
External References: https://github.com/ansible/ansible/pull/47436
Hi Borja, Are there any blockers to getting https://github.com/ansible/ansible/pull/47487 merged in? I have a customer interested to know when they can expected the fixes for 2.5, 2.6, and 2.7 to be released via errata.
In reply to comment 7: > Hi Borja, > > Are there any blockers to getting > https://github.com/ansible/ansible/pull/47487 merged in? I have a customer > interested to know when they can expected the fixes for 2.5, 2.6, and 2.7 to > be released via errata. We expect to have it by today the fix for all versions, depends of how stable are the tests if I am not wrong. For 2.7 it has been already fixed. Erratas should be soon there.
This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2018:3460 https://access.redhat.com/errata/RHSA-2018:3460
This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2018:3463 https://access.redhat.com/errata/RHSA-2018:3463
This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2018:3461 https://access.redhat.com/errata/RHSA-2018:3461
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:3462 https://access.redhat.com/errata/RHSA-2018:3462
Closing the flaw; affects are resolved and trackers also are closed.
OpenStack 13 and 14 release ansible-2.6.11-1.el7ae which included the fixes for this. OpenStack 10 offers 2.4 which is vulnerable.
Statement: This issue affects the version of ansible as shipped with Red Hat Ceph Storage 3, as it contains the vulnerable code which leaks the data when ssh-keygen is invoked with any arguments.
Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 has reached end of life and hence out of support scope.