Hi Roberto, On Fri, Sep 06, 2019 at 07:57:47AM -0400, Roberto C. Sánchez wrote: > On Wed, Aug 07, 2019 at 12:49:11PM +0200, Salvatore Bonaccorso wrote: > > Source: ansible > > Version: 2.8.3+dfsg-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/ansible/ansible/issues/56269 > > > > Hi, > > > > The following vulnerability was published for ansible. > > > > CVE-2019-10217[0]: > > | gcp modules do not flag sensitive data fields properly > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10217 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10217 > > [1] https://github.com/ansible/ansible/issues/56269 > > [2] https://github.com/ansible/ansible/pull/59427 > > > > It looks like the GCP module was introduced by this upstream commit: > > commit 9706abf68518dc0f663f23f64475f2b270851ae4 > Author: Alex Stephen <[email protected]> > Date: Tue Feb 6 08:50:16 2018 -0800 > > [cloud] New GCP module: DNS Managed Zones (gcp_dns_managed_zone.py) > (#35014) > > Based on that I have annotated the CVE as not affecting ansible in > jessie. It may likewise not affect the versions in stretch and buster.
Thanks for this additional triage. I looked at it and the issue was introduced when addint the GCP IAM role. This was only added in the 2.8 series and not backported, so as well buster is not affected TTBOMK. Maintainers, please confirm :) Regards, Salvatore
