Security update for ansible and monasca-installer SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:3029-1 Final 1 1 2017-11-17T12:26:42Z current 2017-11-17T12:26:42Z 2017-11-17T12:26:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ansible and monasca-installer This update for ansible provides version 2.2.3.0 and fixes the following security issues: - CVE-2017-7481: Data for lookup plugins used as variables was not being marked as 'unsafe' and could lead to unintentional disclosure of information. (bsc#1038785) - CVE-2016-9587: Prevent compromised host to execute commands on the controller (bsc#1019021). - CVE-2017-7466: Prevent arbitrary code execution on control nodes. For more information about the upstream bugs fixed, please see /usr/share/doc/packages/ansible/CHANGELOG.md Additionally, monasca-installer received several compatibility fixes for ansible. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-OpenStack-Cloud-7-2017-1793 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20173029-1/ Link for SUSE-SU-2017:3029-1 https://lists.suse.com/pipermail/sle-security-updates/2017-November/003400.html E-Mail link for SUSE-SU-2017:3029-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1019021 SUSE Bug 1019021 https://bugzilla.suse.com/1038785 SUSE Bug 1038785 https://bugzilla.suse.com/1056094 SUSE Bug 1056094 https://www.suse.com/security/cve/CVE-2016-9587/ SUSE CVE CVE-2016-9587 page https://www.suse.com/security/cve/CVE-2017-7466/ SUSE CVE CVE-2017-7466 page https://www.suse.com/security/cve/CVE-2017-7481/ SUSE CVE CVE-2017-7481 page SUSE OpenStack Cloud 7 ansible-2.2.3.0-5.1 monasca-installer-20170912_10.45-5.1 ansible-2.2.3.0-5.1 as a component of SUSE OpenStack Cloud 7 monasca-installer-20170912_10.45-5.1 as a component of SUSE OpenStack Cloud 7 Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. CVE-2016-9587 SUSE OpenStack Cloud 7:ansible-2.2.3.0-5.1 SUSE OpenStack Cloud 7:monasca-installer-20170912_10.45-5.1 moderate 7.5 AV:N/AC:M/Au:S/C:P/I:C/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173029-1/ https://www.suse.com/security/cve/CVE-2016-9587.html CVE-2016-9587 https://bugzilla.suse.com/1019021 SUSE Bug 1019021 Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. CVE-2017-7466 SUSE OpenStack Cloud 7:ansible-2.2.3.0-5.1 SUSE OpenStack Cloud 7:monasca-installer-20170912_10.45-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173029-1/ https://www.suse.com/security/cve/CVE-2017-7466.html CVE-2017-7466 https://bugzilla.suse.com/1019021 SUSE Bug 1019021 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. CVE-2017-7481 SUSE OpenStack Cloud 7:ansible-2.2.3.0-5.1 SUSE OpenStack Cloud 7:monasca-installer-20170912_10.45-5.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20173029-1/ https://www.suse.com/security/cve/CVE-2017-7481.html CVE-2017-7481 https://bugzilla.suse.com/1038785 SUSE Bug 1038785