3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.3 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
60.9%
This update for ansible fixes the following issues :
Ansible was updated to version 2.8.1 :
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
Bugfixes
ACI - DO not encode query_string
ACI modules - Fix non-signature authentication
Add missing directory provided via --playbook-dir
to adjacent collection loading
Fix ‘Interface not found’ errors when using eos_l2_interface with non-existent interfaces configured
Fix cannot get credential when source_auth
set to credential_file
.
Fix netconf_config backup string issue
Fix privilege escalation support for the docker connection plugin when credentials need to be supplied (e.g. sudo with password).
Fix vyos cli prompt inspection
Fixed loading namespaced documentation fragments from collections.
Fixing bug came up after running cnos_vrf module against coverity.
Properly handle data importer failures on PVC creation, instead of timing out.
To fix the ios static route TC failure in CI
To fix the nios member module params
To fix the nios_zone module idempotency failure
add terminal initial prompt for initial connection
allow include_role to work with ansible command
allow python_requirements_facts to report on dependencies containing dashes
asa_config fix
azure_rm_roledefinition - fix a small error in build scope.
azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network peering.
cgroup_perf_recap - When not using file_per_task, make sure we don’t prematurely close the perf files
display underlying error when reporting an invalid tasks:
block.
dnf - fix wildcard matching for state: absent
docker connection plugin - accept version dev
as ‘newest version’ and print warning.
docker_container - oom_killer
and oom_score_adj
options are available since docker-py 1.8.0, not 2.0.0 as assumed by the version check.
docker_container - fix network creation when networks_cli_compatible
is enabled.
docker_container - use docker API’s restart
instead of stop
/start
to restart a container.
docker_image - if build
was not specified, the wrong default for build.rm
is used.
docker_image - if nocache
set to yes
but not build.nocache
, the module failed.
docker_image - module failed when source: build
was set but build.path
options not specified.
docker_network module - fix idempotency when using aux_addresses
in ipam_config
.
ec2_instance - make Name tag idempotent
eos: don’t fail modules without become set, instead show message and continue
eos_config: check for session support when asked to ‘diff_against: session’
eos_eapi: fix idempotency issues when vrf was unspecified.
fix bugs for ce - more info see
fix incorrect uses of to_native that should be to_text instead.
hcloud_volume - Fix idempotency when attaching a server to a volume.
ibm_storage - Added a check for null fields in ibm_storage utils module.
include_tasks - whitelist listen
as a valid keyword
k8s - resource updates applied with force work correctly now
keep results subset also when not no_log.
meraki_switchport - improve reliability with native VLAN functionality.
netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and clearing functionality
netapp_e_volumes - fix workload profileId indexing when no previous workload tags exist on the storage array.
nxos_acl some platforms/versions raise when no ACLs are present
nxos_facts fix <https://github.com/ansible/ansible/pull/57009>
nxos_file_copy fix passwordless workflow
nxos_interface Fix admin_state check for n6k
nxos_snmp_traps fix group all for N35 platforms
nxos_snmp_user fix platform fixes for get_snmp_user
nxos_vlan mode idempotence bug
nxos_vlan vlan names containing regex ctl chars should be escaped
nxos_vtp_* modules fix n6k issues
openssl_certificate - fix private key passphrase handling for cryptography
backend.
openssl_pkcs12 - fixes crash when private key has a passphrase and the module is run a second time.
os_stack - Apply tags conditionally so that the module does not throw up an error when using an older distro of openstacksdk
pass correct loading context to persistent connections other than local
pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
postgresql - added initial SSL related tests
postgresql - added missing_required_libs, removed excess param mapping
postgresql - move connect_to_db and get_pg_version into module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514)
postgresql_db - add note to the documentation about state dump and the incorrect rc (https://github.com/ansible/ansible/pull/57297)
postgresql_db - fix for postgresql_db fails if stderr contains output
postgresql_ping - fixed a typo in the module documentation
preserve actual ssh error when we cannot connect.
route53_facts - the module did not advertise check mode support, causing it not to be run in check mode.
sysctl: the module now also checks the output of STDERR to report if values are correctly set (https://github.com/ansible/ansible/pull/55695)
ufw - correctly check status when logging is off
uri - always return a value for status even during failure
urls - Handle redirects properly for IPv6 address by not splitting on :
and rely on already parsed hostname and port values
vmware_vm_facts - fix the support with regular ESXi
vyos_interface fix <https://github.com/ansible/ansible/pull/57169>
we don’t really need to template vars on definition as we do this on demand in templating.
win_acl - Fix qualifier parser when using UNC paths -
win_hostname - Fix non netbios compliant name handling
winrm - Fix issue when attempting to parse CLIXML on send input failure
xenserver_guest - fixed an issue where VM whould be powered off even though check mode is used if reconfiguration requires VM to be powered off.
xenserver_guest - proper error message is shown when maximum number of network interfaces is reached and multiple network interfaces are added at once.
yum - Fix false error message about autoremove not being supported
yum - fix failure when using update_cache
standalone
yum - handle special ‘none’ value for proxy in yum.conf and .repo files
Update to version 2.8.0
Major changes :
Experimental support for Ansible Collections and content namespacing - Ansible content can now be packaged in a collection and addressed via namespaces. This allows for easier sharing, distribution, and installation of bundled modules/roles/plugins, and consistent rules for accessing specific content via namespaces.
Python interpreter discovery - The first time a Python module runs on a target, Ansible will attempt to discover the proper default Python interpreter to use for the target platform/version (instead of immediately defaulting to /usr/bin/python). You can override this behavior by setting ansible_python_interpreter or via config. (see https://github.com/ansible/ansible/pull/50163)
become - The deprecated CLI arguments for --sudo,
–sudo-user,
–ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in favor of the more generic --become,
–become-user, --become-method, and
–ask-become-pass.
become - become functionality has been migrated to a plugin architecture, to allow customization of become functionality and 3rd party become methods (https://github.com/ansible/ansible/pull/50991)
addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs or online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELO G-v2.8.rst
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2019-1635.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('compat.inc');
if (description)
{
script_id(126326);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/14");
script_cve_id(
"CVE-2018-16837",
"CVE-2018-16859",
"CVE-2018-16876",
"CVE-2019-3828"
);
script_name(english:"openSUSE Security Update : ansible (openSUSE-2019-1635)");
script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"This update for ansible fixes the following issues :
Ansible was updated to version 2.8.1 :
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
- Bugfixes
- ACI - DO not encode query_string
- ACI modules - Fix non-signature authentication
- Add missing directory provided via ``--playbook-dir`` to
adjacent collection loading
- Fix 'Interface not found' errors when using
eos_l2_interface with non-existent interfaces configured
- Fix cannot get credential when `source_auth` set to
`credential_file`.
- Fix netconf_config backup string issue
- Fix privilege escalation support for the docker
connection plugin when credentials need to be supplied
(e.g. sudo with password).
- Fix vyos cli prompt inspection
- Fixed loading namespaced documentation fragments from
collections.
- Fixing bug came up after running cnos_vrf module against
coverity.
- Properly handle data importer failures on PVC creation,
instead of timing out.
- To fix the ios static route TC failure in CI
- To fix the nios member module params
- To fix the nios_zone module idempotency failure
- add terminal initial prompt for initial connection
- allow include_role to work with ansible command
- allow python_requirements_facts to report on
dependencies containing dashes
- asa_config fix
- azure_rm_roledefinition - fix a small error in build
scope.
- azure_rm_virtualnetworkpeering - fix cross subscriptions
virtual network peering.
- cgroup_perf_recap - When not using file_per_task, make
sure we don't prematurely close the perf files
- display underlying error when reporting an invalid
``tasks:`` block.
- dnf - fix wildcard matching for state: absent
- docker connection plugin - accept version ``dev`` as
'newest version' and print warning.
- docker_container - ``oom_killer`` and ``oom_score_adj``
options are available since docker-py 1.8.0, not 2.0.0
as assumed by the version check.
- docker_container - fix network creation when
``networks_cli_compatible`` is enabled.
- docker_container - use docker API's ``restart`` instead
of ``stop``/``start`` to restart a container.
- docker_image - if ``build`` was not specified, the wrong
default for ``build.rm`` is used.
- docker_image - if ``nocache`` set to ``yes`` but not
``build.nocache``, the module failed.
- docker_image - module failed when ``source: build`` was
set but ``build.path`` options not specified.
- docker_network module - fix idempotency when using
``aux_addresses`` in ``ipam_config``.
- ec2_instance - make Name tag idempotent
- eos: don't fail modules without become set, instead show
message and continue
- eos_config: check for session support when asked to
'diff_against: session'
- eos_eapi: fix idempotency issues when vrf was
unspecified.
- fix bugs for ce - more info see
- fix incorrect uses of to_native that should be to_text
instead.
- hcloud_volume - Fix idempotency when attaching a server
to a volume.
- ibm_storage - Added a check for null fields in
ibm_storage utils module.
- include_tasks - whitelist ``listen`` as a valid keyword
- k8s - resource updates applied with force work correctly
now
- keep results subset also when not no_log.
- meraki_switchport - improve reliability with native VLAN
functionality.
- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap
secret size and clearing functionality
- netapp_e_volumes - fix workload profileId indexing when
no previous workload tags exist on the storage array.
- nxos_acl some platforms/versions raise when no ACLs are
present
- nxos_facts fix
<https://github.com/ansible/ansible/pull/57009>
- nxos_file_copy fix passwordless workflow
- nxos_interface Fix admin_state check for n6k
- nxos_snmp_traps fix group all for N35 platforms
- nxos_snmp_user fix platform fixes for get_snmp_user
- nxos_vlan mode idempotence bug
- nxos_vlan vlan names containing regex ctl chars should
be escaped
- nxos_vtp_* modules fix n6k issues
- openssl_certificate - fix private key passphrase
handling for ``cryptography`` backend.
- openssl_pkcs12 - fixes crash when private key has a
passphrase and the module is run a second time.
- os_stack - Apply tags conditionally so that the module
does not throw up an error when using an older distro of
openstacksdk
- pass correct loading context to persistent connections
other than local
- pkg_mgr - Ansible 2.8.0 failing to install yum packages
on Amazon Linux
- postgresql - added initial SSL related tests
- postgresql - added missing_required_libs, removed excess
param mapping
- postgresql - move connect_to_db and get_pg_version into
module_utils/postgres.py
(https://github.com/ansible/ansible/pull/55514)
- postgresql_db - add note to the documentation about
state dump and the incorrect rc
(https://github.com/ansible/ansible/pull/57297)
- postgresql_db - fix for postgresql_db fails if stderr
contains output
- postgresql_ping - fixed a typo in the module
documentation
- preserve actual ssh error when we cannot connect.
- route53_facts - the module did not advertise check mode
support, causing it not to be run in check mode.
- sysctl: the module now also checks the output of STDERR
to report if values are correctly set
(https://github.com/ansible/ansible/pull/55695)
- ufw - correctly check status when logging is off
- uri - always return a value for status even during
failure
- urls - Handle redirects properly for IPv6 address by not
splitting on ``:`` and rely on already parsed hostname
and port values
- vmware_vm_facts - fix the support with regular ESXi
- vyos_interface fix
<https://github.com/ansible/ansible/pull/57169>
- we don't really need to template vars on definition as
we do this on demand in templating.
- win_acl - Fix qualifier parser when using UNC paths -
- win_hostname - Fix non netbios compliant name handling
- winrm - Fix issue when attempting to parse CLIXML on
send input failure
- xenserver_guest - fixed an issue where VM whould be
powered off even though check mode is used if
reconfiguration requires VM to be powered off.
- xenserver_guest - proper error message is shown when
maximum number of network interfaces is reached and
multiple network interfaces are added at once.
- yum - Fix false error message about autoremove not being
supported
- yum - fix failure when using ``update_cache`` standalone
- yum - handle special '_none_' value for proxy in
yum.conf and .repo files
Update to version 2.8.0
Major changes :
- Experimental support for Ansible Collections and content
namespacing - Ansible content can now be packaged in a
collection and addressed via namespaces. This allows for
easier sharing, distribution, and installation of
bundled modules/roles/plugins, and consistent rules for
accessing specific content via namespaces.
- Python interpreter discovery - The first time a Python
module runs on a target, Ansible will attempt to
discover the proper default Python interpreter to use
for the target platform/version (instead of immediately
defaulting to /usr/bin/python). You can override this
behavior by setting ansible_python_interpreter or via
config. (see
https://github.com/ansible/ansible/pull/50163)
- become - The deprecated CLI arguments for --sudo,
--sudo-user,
--ask-sudo-pass, -su, --su-user, and --ask-su-pass have
been removed, in favor of the more generic --become,
--become-user, --become-method, and
--ask-become-pass.
- become - become functionality has been migrated to a
plugin architecture, to allow customization of become
functionality and 3rd party become methods
(https://github.com/ansible/ansible/pull/50991)
- addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828,
CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs
or online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELO
G-v2.8.rst");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109957");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1112959");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118896");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126503");
# https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?038dc6b5");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/50163");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/50991");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/55514");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/55695");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/57009");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/57169");
script_set_attribute(attribute:"see_also", value:"https://github.com/ansible/ansible/pull/57297");
script_set_attribute(attribute:"solution", value:
"Update the affected ansible package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16876");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-16837");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/23");
script_set_attribute(attribute:"patch_publication_date", value:"2019/06/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ansible");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if ( rpm_check(release:"SUSE15.1", reference:"ansible-2.8.1-lp151.2.3.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
else security_note(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16859
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16876
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3828
www.nessus.org/u?038dc6b5
bugzilla.opensuse.org/show_bug.cgi?id=1109957
bugzilla.opensuse.org/show_bug.cgi?id=1112959
bugzilla.opensuse.org/show_bug.cgi?id=1118896
bugzilla.opensuse.org/show_bug.cgi?id=1126503
github.com/ansible/ansible/pull/50163
github.com/ansible/ansible/pull/50991
github.com/ansible/ansible/pull/55514
github.com/ansible/ansible/pull/55695
github.com/ansible/ansible/pull/57009
github.com/ansible/ansible/pull/57169
github.com/ansible/ansible/pull/57297
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.3 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
60.9%