[Git][security-tracker-team/security-tracker][master] Move ansible to no-dsa state for buster
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 3 07:11:02 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f453e087 by Salvatore Bonaccorso at 2021-02-03T08:08:29+01:00
Move ansible to no-dsa state for buster
With Lee Garrett (maintainer) comment, all the CVEs are fairly
low-impact, might bring some risk to backport and in gerneral are fine
to be wrapped up in a point release when time permits and the fixed can
be througfully be tested.
Link: https://lists.debian.org/debian-lts/2021/02/msg00005.html
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -15400,6 +15400,7 @@ CVE-2021-20192
CVE-2021-20191
RESERVED
- ansible <unfixed>
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
CVE-2021-20190 (A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...)
@@ -15434,6 +15435,7 @@ CVE-2021-20181 [9pfs: Fully restart unreclaim loop]
CVE-2021-20180
RESERVED
- ansible <unfixed>
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
NOTE: https://github.com/ansible-collections/community.general/pull/1635
CVE-2021-20179
@@ -15441,6 +15443,7 @@ CVE-2021-20179
CVE-2021-20178 [user data leak in snmp_facts module]
RESERVED
- ansible <unfixed>
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
NOTE: https://github.com/ansible-collections/community.general/pull/1621
CVE-2021-20177
@@ -56021,6 +56024,7 @@ CVE-2020-14366 (A vulnerability was found in keycloak, where path traversal usin
NOT-FOR-US: Keycloak
CVE-2020-14365 (A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before ...)
- ansible 2.9.13+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869154
NOTE: https://github.com/ansible/ansible/commit/1d043e082b3b1f3ad35c803137f5d3bcbae92275 (v2.9.13)
CVE-2020-14364 (An out-of-bounds read/write access flaw was found in the USB emulator ...)
@@ -56181,6 +56185,7 @@ CVE-2020-14333 (A flaw was found in Ovirt Engine's web interface in ovirt 4.4 an
NOT-FOR-US: ovirt-engine
CVE-2020-14332 (A flaw was found in the Ansible Engine when using module_args. Tasks e ...)
- ansible 2.9.13+dfsg-1 (bug #966672)
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1857805
NOTE: https://github.com/ansible/ansible/pull/71033
NOTE: https://github.com/ansible/ansible/commit/6cae9a4b168df776bf82deb04b2c62e00c38b49a (v2.9.12)
@@ -56192,6 +56197,7 @@ CVE-2020-14331 (A flaw was found in the Linux kernel’s implementation of t
NOTE: Only exploitable when CONFIG_VGACON_SOFT_SCROLLBACK is set
CVE-2020-14330 (An Improper Output Neutralization for Logs flaw was found in Ansible w ...)
- ansible 2.9.13+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://github.com/ansible/ansible/issues/68400
NOTE: Initial fix: https://github.com/ansible/ansible/pull/69653
NOTE: Complete fix (reverting first and adding more elaborated fix):
@@ -67216,6 +67222,7 @@ CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was
CVE-2020-10729 [two random password lookups in same task return same value]
RESERVED
- ansible 2.9.6+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, no variables template caching)
NOTE: https://github.com/ansible/ansible/issues/34144
NOTE: https://github.com/ansible/ansible/pull/67429/
@@ -67403,6 +67410,7 @@ CVE-2020-10686 (A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fi
NOT-FOR-US: Keycloak
CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine versions 2 ...)
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, all decryption in-memory, no transparent file decryption)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627
NOTE: https://github.com/ansible/ansible/pull/68433
@@ -67410,6 +67418,7 @@ CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine vers
NOTE: Introduced in https://github.com/ansible/ansible/commit/cdf6e3e4bf44fdab62c2e4ccd3f5fd67ea554548 (2.1)
CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...)
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[stretch] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519
@@ -91193,6 +91202,7 @@ CVE-2020-1754
RESERVED
CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x version ...)
- ansible 2.9.16+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[stretch] - ansible <not-affected> (Vulnerable code introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1811008
@@ -91236,6 +91246,7 @@ CVE-2020-1747 (A vulnerability was discovered in the PyYAML library in versions
NOTE: https://github.com/yaml/pyyaml/pull/386
CVE-2020-1746 (A flaw was found in the Ansible Engine affecting Ansible Engine versio ...)
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[stretch] - ansible <not-affected> (Vulnerable code introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1805491
@@ -91259,12 +91270,14 @@ CVE-2020-1741 (A flaw was found in openshift-ansible. OpenShift Container Platfo
CVE-2020-1740 (A flaw was found in Ansible Engine when using Ansible Vault for editin ...)
{DLA-2202-1}
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802193
NOTE: https://github.com/ansible/ansible/issues/67798
NOTE: https://github.com/ansible/ansible/pull/68644
CVE-2020-1739 (A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9 ...)
{DLA-2202-1}
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802178
NOTE: https://github.com/ansible/ansible/issues/67797
NOTE: https://github.com/ansible/ansible/pull/67829
@@ -91291,6 +91304,7 @@ CVE-2020-1736 (A flaw was found in Ansible Engine when a file is moved using ato
NOTE: that accept it, cf. https://github.com/ansible/ansible/commit/7eec8e4d268d6711f317583974e9e936083de636
CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is used. ...)
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
[jessie] - ansible <not-affected> (No remote expansion in fetch module)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802085
NOTE: https://github.com/ansible/ansible/issues/67793
@@ -91309,6 +91323,7 @@ CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary
CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2. ...)
{DLA-2202-1}
- ansible 2.9.7+dfsg-1
+ [buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801735
NOTE: https://github.com/ansible/ansible/issues/67791
NOTE: https://github.com/ansible/ansible/pull/68921
=====================================
data/dsa-needed.txt
=====================================
@@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source package.
---
-ansible
--
chromium
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f453e0871a27c9eca9af05a5c7cc0d36be3a2518
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f453e0871a27c9eca9af05a5c7cc0d36be3a2518
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210203/2565e494/attachment.html>
More information about the debian-security-tracker-commits
mailing list