Your message dated Mon, 29 Oct 2018 23:08:59 +0100
with message-id <20181029220857.s2c3qbod6imko...@debian.org>
and subject line Re: ansible: CVE-2018-16837
has caused the Debian Bug report #912297,
regarding ansible: CVE-2018-16837
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
912297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ansible
Version: 1.7.2+dfsg-2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ansible.
CVE-2018-16837[0]:
| Ansible "User" module leaks any data which is passed on as a parameter
| to ssh-keygen. This could lean in undesirable situations such as
| passphrases credentials passed as a parameter for the ssh-keygen
| executable. Showing those credentials in clear text form for every
| user which have access just to the process list.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Version: 2.7.1+dfsg-1
Hi,
On Mon, Oct 29, 2018 at 05:50:54PM -0400, Chris Lamb wrote:
> The following vulnerability was published for ansible.
>
> CVE-2018-16837[0]:
> | Ansible "User" module leaks any data which is passed on as a parameter
> | to ssh-keygen. This could lean in undesirable situations such as
> | passphrases credentials passed as a parameter for the ssh-keygen
> | executable. Showing those credentials in clear text form for every
> | user which have access just to the process list.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
changelogs/CHANGELOG-v2.7.rst
- user module - do not pass ssh_key_passphrase on cmdline (CVE-2018-16837)
This wasn't mentioned in the debian changelog, however.
Closing.
Ivo
--- End Message ---
