Bug 1760829 (CVE-2019-14856) - CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206
Summary: CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14856
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1763738 1775632 1775633 1775635 1779889 1760839 1760840 1760841 1760842 1775634 1779890
Blocks: 1760830
TreeView+ depends on / blocked
 
Reported: 2019-10-11 12:33 UTC by Pedro Sampaio
Modified: 2019-12-06 00:17 UTC (History)
34 users (show)

Fixed In Version: ansible-engine 2.8.6, ansible-engine 2.7.14, ansible-engine 2.6.20
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-25 00:51:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3864 None None None 2019-11-13 04:59:45 UTC
Red Hat Product Errata RHBA-2019:3947 None None None 2019-11-25 08:55:11 UTC
Red Hat Product Errata RHSA-2019:3201 None None None 2019-10-24 13:01:29 UTC
Red Hat Product Errata RHSA-2019:3202 None None None 2019-10-24 13:01:12 UTC
Red Hat Product Errata RHSA-2019:3203 None None None 2019-10-24 13:06:51 UTC
Red Hat Product Errata RHSA-2019:3207 None None None 2019-10-24 14:27:30 UTC

Description Pedro Sampaio 2019-10-11 12:33:55 UTC
The fix made in Ansible for CVE-2019-10206 was not sufficient to resolve the problem.

Comment 2 Salvatore Bonaccorso 2019-10-12 07:08:32 UTC
For reference this is https://github.com/ansible/ansible/pull/63351 upstream.

Comment 3 Toshio Kuratomi 2019-10-14 15:54:22 UTC
Also note, the backports will be smaller.  The fix in devel makes two changes which are independently sufficient to fix the problem.  The backport will only include one of them.

Comment 4 Hardik Vyas 2019-10-21 13:38:17 UTC
Vulnerable code from CVE-2019-10206 was included in the version of Ansible shipped with Ceph and Gluster.

Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 is about to reach end of life in December 2019.

Comment 6 errata-xmlrpc 2019-10-24 13:01:10 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3202

Comment 7 errata-xmlrpc 2019-10-24 13:01:27 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3201

Comment 8 errata-xmlrpc 2019-10-24 13:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.8 for RHEL 7
  Red Hat Ansible Engine 2.8 for RHEL 8

Via RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3203

Comment 9 errata-xmlrpc 2019-10-24 14:27:28 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2019:3207

Comment 10 Product Security DevOps Team 2019-10-25 00:51:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14856

Comment 12 Borja Tarraso 2019-11-22 13:04:17 UTC
Created ansible tracking bugs for this issue:

Affects: epel-6 [bug 1775632]
Affects: epel-7 [bug 1775633]
Affects: fedora-all [bug 1775634]
Affects: openstack-rdo [bug 1775635]

Comment 14 Nick Tait 2019-12-06 00:17:42 UTC
RHOSP fixes will be consumed from platforms.


Note You need to log in before you can comment on or make changes to this bug.