Your message dated Mon, 11 Nov 2024 17:47:07 +0100
with message-id <zzi1c9cd2hakd...@eldamar.lan>
and subject line Re: Accepted ansible-core 2.18.0-1 (source) into unstable
has caused the Debian Bug report #1086883,
regarding ansible-core: CVE-2024-9902
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1086883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ansible-core
Version: 2.17.5-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/ansible/ansible/issues/83955
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for ansible-core.
CVE-2024-9902[0]:
| A flaw was found in Ansible. The ansible-core `user` module can
| allow an unprivileged user to silently create or replace the
| contents of any file on any system path and take ownership of it
| when a privileged user executes the `user` module against the
| unprivileged user's home directory. If the unprivileged user has
| traversal permissions on the directory containing the exploited
| target file, they retain full control over the contents of the file
| as its owner.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-9902
https://www.cve.org/CVERecord?id=CVE-2024-9902
[1] https://github.com/ansible/ansible/issues/83955
[2] https://github.com/ansible/ansible/pull/83956
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ansible-core
Source-Version: 2.18.0-1
On Mon, Nov 11, 2024 at 03:19:31PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 11 Nov 2024 15:02:45 +0000
> Source: ansible-core
> Architecture: source
> Version: 2.18.0-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
> Changed-By: Colin Watson <cjwat...@debian.org>
> Changes:
> ansible-core (2.18.0-1) unstable; urgency=medium
> .
> * Team upload
> .
> [ Bastien Roucariès ]
> * Fix CVE-2024-9902: A flaw was found in Ansible.
> The ansible-core `user` module can allow an
> unprivileged user to silently create or replace
> the contents of any file on any system path
> and take ownership of it when a privileged user
> executes the `user` module against the unprivileged
> user's home directory. If the unprivileged user
> has traversal permissions on the directory containing
> the exploited target file, they retain full control
> over the contents of the file as its owner.
> .
> [ Colin Watson ]
> * New upstream release.
> * Remove misleading sequence numbers from files in debian/patches.
> Checksums-Sha1:
> 53b0c8cec848fda0cbaca2c2fe3f5217444cef2e 2593 ansible-core_2.18.0-1.dsc
> a114b622d2d27cb16e0be9ec7e5d250ef1bc8db4 3064903
> ansible-core_2.18.0.orig.tar.gz
> fe0f0a6cb3a316af695594318fbed29a8c762cbb 25904
> ansible-core_2.18.0-1.debian.tar.xz
> Checksums-Sha256:
> 55d56055ba25893e414052797d057f2b54e1833d46253a12ea1900ae6ccfcda1 2593
> ansible-core_2.18.0-1.dsc
> 87fbebbfe8d961e9b153e84b4438ba3a327dbfdcd4ad05a6065d9ff5d9d02e7b 3064903
> ansible-core_2.18.0.orig.tar.gz
> 69ad003c7ee699c3ea0fbf755b261d0075ba2534f19bb39d75ee7d130d5a5ded 25904
> ansible-core_2.18.0-1.debian.tar.xz
> Files:
> 85d97a4561bcc12c57b67ff55413ed9b 2593 admin optional
> ansible-core_2.18.0-1.dsc
> fc66129ba5e2255f38656e7268b2ef75 3064903 admin optional
> ansible-core_2.18.0.orig.tar.gz
> 3db50837be60beca57d2e12f62fab3c8 25904 admin optional
> ansible-core_2.18.0-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmcyHLYACgkQOTWH2X2G
> UAudwxAAlw6HdIfvS36aLnmlPDgYOQOunFljosvZLMmcrqZ0qiBIrpHKO+AS+PXw
> jN+3vrpEFOTBYh20V1A8g+E0llP351aq9d/FsqqWxspXMpF82rzjBe5Q3MhNmwd8
> 7w4EnotAmvqnUlqw33C8HNjelec7BPNb/WKL+958ji8gmHvE0hyfu5DCcFJO+rDI
> +M7ae41g1JfcLT3pu1VXv4g+VJaUI0/LKkQNz9kFc4L5cabtf+N0F9h1AuitvuRh
> UdguGRGh72jFGC5s/TqXG5PRN1FmtcxlEUmNBBYoFhAoRMN+xHUTV1XeaLql+moa
> Wf3uLSrZhc7gVIBa5hzDvTOMndqJOGET72rie9WfXwEZ9xxoxUNkcWACeUGpOrqu
> nS4Dw3SJpM+tCdqxU9z1DvuDbzSCcRhE5dimCleL3OEsBcQ+c93RAR6Yq8lnUlDs
> pMASlRcueNhfmEi7lMQ4tjq4cHTlaZJWHQFaRnwRjknkYyLmSRuNpjCHHSGauMIf
> /jnhzQSNlHvU6tHTYjwdPEWf/b5MlzlKY4zTlwH/PsFNB5hhLJa5Gld8gg+hohXM
> pA/4+aio/JIpVVEzobC8dp0efLH7gOLXVrCzRO28emJ2eMHZ44qWyP5hBODl06jv
> rTWPispXgBtrExl5VtdTBV+dj+wXIntq0C4zuwlAMteUQ2AT9/w=
> =lQ32
> -----END PGP SIGNATURE-----
--- End Message ---