hi, On Thu, Jul 25, 2019 at 07:36:33PM +0200, Salvatore Bonaccorso wrote: > Source: ansible > Version: 2.7.8+dfsg-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/ansible/ansible/pull/59246 > Control: found -1 2.7.7+dfsg-1 > > Hi, > > The following vulnerability was published for ansible. > > CVE-2019-10206[0]: > disclosure data when prompted for password and template characters are passed > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10206 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10206 > [1] https://github.com/ansible/ansible/pull/59246 > > Please adjust the affected versions in the BTS as needed.
Please make sure to as well include a followup when fixing this issue (IIRC this is adressed in 2.8.4). But applying only those fixes *would* open CVE-2019-14856 as the fix for CVE-2019-10206 was incomplete. To avoid that please see as well https://github.com/ansible/ansible/pull/63351 which was specifically for the incomplete fix (the CVE does not directly apply to us as the incomplete fix never landed in Debian). Regards, Salvatore
