This flaw refers to the incomplete fix for CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. This vulnerability seems not mitigated fully as there race condition from the original flaw could still happen on systems using ACLs and FUSE filesystems. The 'mkdir -p' is insecure by design.
Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Currently, there is no mitigation for this issue.
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1835854]
Affects: fedora-all [bug 1835855]
Affects: openstack-rdo [bug 1835856]
Borja, has tis incomplete fix already been reported upstream?
In reply to comment #9:
> Borja, has tis incomplete fix already been reported upstream?
Hi Salvatore, it was found internally that it was insufficient fix. I expect someone to open an issue in github for upstream soon.
(In reply to msiddiqu from comment #13)
Can you share information what the upstream fix was to complete the fix? Can you share what is the commit in 2.9.10 which adresses the incomplete fix?
for solving the incomplete fix upstream we have this commit: 77d0effcc5b2da1ef23e4ba32986a9759c27c10d
Red Hat Product Security
Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected.
Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.
Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own versions of Ansible. The fix will be provided from core Ansible. However, we still ship Ansible separately for Ceph Ubuntu.
In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Closing as WONTFIX for older versions per Matt Martz.