Attachment #158377 for bug #201359

View | Details | Raw Unified | Return to bug 201359
Collapse All | Expand All





-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">
    <topic>ansible -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.9.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ansible, Inc. reports:</p>
	<blockquote cite="http://www.ansible.com/security">
	  <p>Ensure that hostnames match certificate names when using HTTPS -
	    resolved in Ansible 1.9.2</p>
	  <p>Improper symlink handling in zone, jail, and chroot connection
	    plugins could lead to escape from confined environment - resolved
	    in Ansible 1.9.2</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-3908</cvename>
      <url>http://www.ansible.com/security</url>
      <url>https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md</url>
    </references>
    <dates>
      <discovery>2015-06-25</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="e308c61a-2060-11e5-a4a5-002590263bf5">
    <topic>ansible -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ansible, Inc. reports:</p>
	<blockquote cite="http://www.ansible.com/security">
	  <p>Arbitrary execution from data from compromised remote hosts or
	    local data when using a legacy Ansible syntax - resolved in
	    Ansible 1.7</p>
	  <p>ansible-galaxy command when used on local tarballs (and not
	    galaxy.ansible.com) can install a malformed tarball if so provided
	    - resolved in Ansible 1.7</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.ansible.com/security</url>
      <url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
    </references>
    <dates>
      <discovery>2014-08-06</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="9dae9d62-205f-11e5-a4a5-002590263bf5">
    <topic>ansible -- code execution from compromised remote host data or untrusted local data</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.6.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ansible, Inc. reports:</p>
	<blockquote cite="http://www.ansible.com/security">
	  <p>Arbitrary execution from data from compromised remote hosts or
	    untrusted local data - resolved in Ansible 1.6.7</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2014-4966</cvename>
      <bid>68794</bid>
      <url>http://www.ansible.com/security</url>
      <url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
    </references>
    <dates>
      <discovery>2014-07-21</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="2c493ac8-205e-11e5-a4a5-002590263bf5">
    <topic>ansible -- remote code execution vulnerability</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.6.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ansible, Inc. reports:</p>
	<blockquote cite="http://www.ansible.com/security">
	  <p>Incomplete Fix Remote Code Execution Vulnerability - Fixed in
	    Ansible 1.6.4</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2014-4678</cvename>
      <bid>68335</bid>
      <url>http://www.ansible.com/security</url>
      <url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
    </references>
    <dates>
      <discovery>2014-06-25</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="a6a9f9d5-205c-11e5-a4a5-002590263bf5">
    <topic>ansible -- local symlink exploits</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.2.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>MITRE reports:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4259">
	  <p>runner/connection_plugins/ssh.py in Ansible before 1.2.3, when
	    using ControlPersist, allows local users to redirect a ssh session
	    via a symlink attack on a socket file with a predictable name in
	    /tmp/.</p>
	</blockquote>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4260">
	  <p>lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3,
	    when playbook does not run due to an error, allows local users to
	    overwrite arbitrary files via a symlink attack on a retry file with
	    a predictable name in /var/tmp/ansible/.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2013-4259</cvename>
      <cvename>CVE-2013-4260</cvename>
      <url>http://www.ansible.com/security</url>
      <url>https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg</url>
    </references>
    <dates>
      <discovery>2013-08-21</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="a478421e-2059-11e5-a4a5-002590263bf5">
    <topic>ansible -- enable host key checking in paramiko connection type</topic>
    <affects>
      <package>
	<name>ansible</name>
	<range><lt>1.2.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Ansible changelog reports:</p>
	<blockquote cite="https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md">
	  <p>Host key checking is on by default.  Disable it if you like by
	    adding host_key_checking=False in the [default] section of
	    /etc/ansible/ansible.cfg or ~/ansible.cfg or by exporting
	    ANSIBLE_HOST_KEY_CHECKING=False.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2013-2233</cvename>
      <url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
      <url>http://www.ansible.com/security</url>
      <url>https://github.com/ansible/ansible/issues/857</url>
    </references>
    <dates>
      <discovery>2012-08-13</discovery>
      <entry>2015-07-02</entry>
    </dates>
  </vuln>

  <vuln vid="9c7177ff-1fe1-11e5-9a01-bcaec565249c">
    <topic>libxml2 -- Enforce the reader to run in constant memory</topic>
    <affects>

Return to bug 201359

Lines 57-62 Link Here

(-)vuln.xml (+188 lines)
57		57
58	-->	58	-->
59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		60	<vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">
		61	<topic>ansible -- multiple vulnerabilities</topic>
		62	<affects>
		63	<package>
		64	<name>ansible</name>
		65	<range><lt>1.9.2</lt></range>
		66	</package>
		67	</affects>
		68	<description>
		69	<body xmlns="http://www.w3.org/1999/xhtml">
		70	<p>Ansible, Inc. reports:</p>
		71	<blockquote cite="http://www.ansible.com/security">
		72	<p>Ensure that hostnames match certificate names when using HTTPS -
		73	resolved in Ansible 1.9.2</p>
		74	<p>Improper symlink handling in zone, jail, and chroot connection
		75	plugins could lead to escape from confined environment - resolved
		76	in Ansible 1.9.2</p>
		77	</blockquote>
		78	</body>
		79	</description>
		80	<references>
		81	<cvename>CVE-2015-3908</cvename>
		82	<url>http://www.ansible.com/security</url>
		83	<url>https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md</url>
		84	</references>
		85	<dates>
		86	<discovery>2015-06-25</discovery>
		87	<entry>2015-07-02</entry>
		88	</dates>
		89	</vuln>
		90
		91	<vuln vid="e308c61a-2060-11e5-a4a5-002590263bf5">
		92	<topic>ansible -- multiple vulnerabilities</topic>
		93	<affects>
		94	<package>
		95	<name>ansible</name>
		96	<range><lt>1.7</lt></range>
		97	</package>
		98	</affects>
		99	<description>
		100	<body xmlns="http://www.w3.org/1999/xhtml">
		101	<p>Ansible, Inc. reports:</p>
		102	<blockquote cite="http://www.ansible.com/security">
		103	<p>Arbitrary execution from data from compromised remote hosts or
		104	local data when using a legacy Ansible syntax - resolved in
		105	Ansible 1.7</p>
		106	<p>ansible-galaxy command when used on local tarballs (and not
		107	galaxy.ansible.com) can install a malformed tarball if so provided
		108	- resolved in Ansible 1.7</p>
		109	</blockquote>
		110	</body>
		111	</description>
		112	<references>
		113	<url>http://www.ansible.com/security</url>
		114	<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
		115	</references>
		116	<dates>
		117	<discovery>2014-08-06</discovery>
		118	<entry>2015-07-02</entry>
		119	</dates>
		120	</vuln>
		121
		122	<vuln vid="9dae9d62-205f-11e5-a4a5-002590263bf5">
		123	<topic>ansible -- code execution from compromised remote host data or untrusted local data</topic>
124	<affects>
125	<package>
126	<name>ansible</name>
127	<range><lt>1.6.7</lt></range>
128	</package>
129	</affects>
130	<description>
131	<body xmlns="http://www.w3.org/1999/xhtml">
132	<p>Ansible, Inc. reports:</p>
133	<blockquote cite="http://www.ansible.com/security">
134	<p>Arbitrary execution from data from compromised remote hosts or
135	untrusted local data - resolved in Ansible 1.6.7</p>
136	</blockquote>
137	</body>
138	</description>
139	<references>
140	<cvename>CVE-2014-4966</cvename>
141	<bid>68794</bid>
142	<url>http://www.ansible.com/security</url>
143	<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
144	</references>
145	<dates>
146	<discovery>2014-07-21</discovery>
147	<entry>2015-07-02</entry>
148	</dates>
149	</vuln>
150
151	<vuln vid="2c493ac8-205e-11e5-a4a5-002590263bf5">
152	<topic>ansible -- remote code execution vulnerability</topic>
153	<affects>
154	<package>
155	<name>ansible</name>
156	<range><lt>1.6.4</lt></range>
157	</package>
158	</affects>
159	<description>
160	<body xmlns="http://www.w3.org/1999/xhtml">
161	<p>Ansible, Inc. reports:</p>
162	<blockquote cite="http://www.ansible.com/security">
163	<p>Incomplete Fix Remote Code Execution Vulnerability - Fixed in
164	Ansible 1.6.4</p>
165	</blockquote>
166	</body>
167	</description>
168	<references>
169	<cvename>CVE-2014-4678</cvename>
170	<bid>68335</bid>
171	<url>http://www.ansible.com/security</url>
172	<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
173	</references>
174	<dates>
175	<discovery>2014-06-25</discovery>
176	<entry>2015-07-02</entry>
177	</dates>
178	</vuln>
179
180	<vuln vid="a6a9f9d5-205c-11e5-a4a5-002590263bf5">
181	<topic>ansible -- local symlink exploits</topic>
182	<affects>
183	<package>
184	<name>ansible</name>
185	<range><lt>1.2.3</lt></range>
186	</package>
187	</affects>
188	<description>
189	<body xmlns="http://www.w3.org/1999/xhtml">
190	<p>MITRE reports:</p>
191	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4259">
192	<p>runner/connection_plugins/ssh.py in Ansible before 1.2.3, when
193	using ControlPersist, allows local users to redirect a ssh session
194	via a symlink attack on a socket file with a predictable name in
195	/tmp/.</p>
196	</blockquote>
197	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4260">
198	<p>lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3,
199	when playbook does not run due to an error, allows local users to
200	overwrite arbitrary files via a symlink attack on a retry file with
201	a predictable name in /var/tmp/ansible/.</p>
202	</blockquote>
203	</body>
204	</description>
205	<references>
206	<cvename>CVE-2013-4259</cvename>
207	<cvename>CVE-2013-4260</cvename>
208	<url>http://www.ansible.com/security</url>
209	<url>https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg</url>
210	</references>
211	<dates>
212	<discovery>2013-08-21</discovery>
213	<entry>2015-07-02</entry>
214	</dates>
215	</vuln>
216
217	<vuln vid="a478421e-2059-11e5-a4a5-002590263bf5">
218	<topic>ansible -- enable host key checking in paramiko connection type</topic>
219	<affects>
220	<package>
221	<name>ansible</name>
222	<range><lt>1.2.1</lt></range>
223	</package>
224	</affects>
225	<description>
226	<body xmlns="http://www.w3.org/1999/xhtml">
227	<p>Ansible changelog reports:</p>
228	<blockquote cite="https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md">
229	<p>Host key checking is on by default. Disable it if you like by
230	adding host_key_checking=False in the [default] section of
231	/etc/ansible/ansible.cfg or ~/ansible.cfg or by exporting
232	ANSIBLE_HOST_KEY_CHECKING=False.</p>
233	</blockquote>
234	</body>
235	</description>
236	<references>
237	<cvename>CVE-2013-2233</cvename>
238	<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
239	<url>http://www.ansible.com/security</url>
240	<url>https://github.com/ansible/ansible/issues/857</url>
241	</references>
242	<dates>
243	<discovery>2012-08-13</discovery>
244	<entry>2015-07-02</entry>
245	</dates>
246	</vuln>
247
60	<vuln vid="9c7177ff-1fe1-11e5-9a01-bcaec565249c">	248	<vuln vid="9c7177ff-1fe1-11e5-9a01-bcaec565249c">
61	<topic>libxml2 -- Enforce the reader to run in constant memory</topic>	249	<topic>libxml2 -- Enforce the reader to run in constant memory</topic>
62	<affects>	250	<affects>