Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://www.securityfocus.com/bid/68234
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1831256] Affects: fedora-all [bug 1831255]
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.
This is a bug for Ansible 1.5.4 and previous versions, really old, and fixed on 1.5.5 and after long time ago, when it was Ansible Core. Currently we support 2.9.x, 2.8.x, and 2.7.x. and from 2.4 it is called Ansible Engine. So Ansible in all supported current versions is not affected.
Red Hat Ceph Storage and Red Hat Gluster Storage shipped ansible versions 2.4.1 and 2.3.2 respectively, which are not affected by this vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-4659