ansible (1.7.2+dfsg-2+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2020-1740: a flaw was found when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. * CVE-2020-1739: a flaw was found when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. * CVE-2020-1733: a race condition flaw was found when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p "; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'. * CVE-2019-14846: ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. -- Sylvain Beucler Tue, 5 May 2020 15:32:41 +0200 ansible (1.7.2+dfsg-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2015-3908: Fix potential man-in-the-middle attack associated with insusfficient X.509 certificate verification. Ansible did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. * CVE-2015-6240: Fix a symlink attack that allows local users to escape a restricted environment (chroot or jail) via a symlink attack. * CVE-2018-10875: Fix potential arbitrary code execution resulting from reading ansible.cfg from a world-writable current working directory. This condition now causes ansible to emit a warning and ignore the ansible.cfg in the world-writable current working directory. * CVE-2019-10156: Fix information disclosure through unexpected variable substitution. (Closes: #930065) -- Roberto C. Sanchez Fri, 06 Sep 2019 08:01:41 -0400 ansible (1.7.2+dfsg-2+deb8u1) jessie-security; urgency=high * CVE-2018-16837: Fix a potential SSH passphrase disclosure vulnerability. The "User" module leaked data that was passed as a parameter to the ssh-keygen(1) utility thus revealing any credentials in cleartext form in the global process list. (Closes: #912297) -- Chris Lamb Mon, 12 Nov 2018 11:43:08 +0100 ansible (1.7.2+dfsg-2) unstable; urgency=low * Add updated paths to d/copyright. -- Harlan Lieberman-Berg Thu, 02 Oct 2014 17:31:12 -0400 ansible (1.7.2+dfsg-1) unstable; urgency=medium * New upstream release. -- Harlan Lieberman-Berg Wed, 24 Sep 2014 16:55:14 -0400 ansible (1.7.1+dfsg-1) unstable; urgency=medium * New upstream release. -- Harlan Lieberman-Berg Thu, 14 Aug 2014 20:13:22 -0400 ansible (1.7.0+dfsg-1) unstable; urgency=medium * New upstream release. * Refresh and remove outdated patches. * Add python-selinux to Recommends for SELinux support. (Closes: #757358) -- Harlan Lieberman-Berg Wed, 06 Aug 2014 21:15:22 -0400 ansible (1.6.10+dfsg-1) unstable; urgency=high * New upstream release. -- Harlan Lieberman-Berg Fri, 25 Jul 2014 20:00:08 -0400 ansible (1.6.9+dfsg-1) unstable; urgency=medium * New upstream release. -- Harlan Lieberman-Berg Fri, 25 Jul 2014 00:06:50 -0400 ansible (1.6.8+dfsg-1) unstable; urgency=medium * New upstream release, fixing: CVE-2014-4966, CVE-2014-4967. -- Harlan Lieberman-Berg Wed, 23 Jul 2014 01:12:09 -0400 ansible (1.6.6+dfsg-1) unstable; urgency=high * New upstream release. -- Harlan Lieberman-Berg Wed, 02 Jul 2014 01:35:05 +0000 ansible (1.6.5+dfsg-1) unstable; urgency=high * New upstream release, x2. * Switch to using Files-Excluded to repack upstream for DFSG. -- Harlan Lieberman-Berg Wed, 25 Jun 2014 22:03:26 +0000 ansible (1.6.3+dfsg-1) unstable; urgency=medium * New upstream release. -- Harlan Lieberman-Berg Tue, 10 Jun 2014 00:23:17 +0000 ansible (1.6.2+dfsg-1) unstable; urgency=medium [ Felix Geyer ] * Run upstream build tests during the build. (Closes: #749406) [ Harlan Lieberman-Berg ] * New upstream version. * Packaged version from tip of upstream branch release1.6.2 instead of tagged version, as it contains a fix needed to prevent FTBFS. -- Harlan Lieberman-Berg Sun, 25 May 2014 17:50:03 +0000 ansible (1.6.1+dfsg-1) unstable; urgency=medium * New upstream version. -- Harlan Lieberman-Berg Wed, 07 May 2014 18:49:07 +0000 ansible (1.6.0+dfsg-1) unstable; urgency=medium * New upstream version. * Remove patches applied upstream. * Fix manpage warning. -- Harlan Lieberman-Berg Tue, 06 May 2014 03:07:30 +0000 ansible (1.5.5+dfsg-1) unstable; urgency=medium * New upstream version 1.5.5, security update. * d/control: Add myself to Uploaders to silence Lintian * Refresh patches for new version. Add DEP-3 headers to one patch. -- Harlan Lieberman-Berg Mon, 21 Apr 2014 16:51:47 -0400 ansible (1.5.4+dfsg-1) unstable; urgency=medium * Pull missing manpages from upstream development branch. * New upstream version 1.5.4, security update. * Add patch to correct directory_mode functionality. (Closes: #743027) -- Harlan Lieberman-Berg Tue, 01 Apr 2014 22:00:24 -0400 ansible (1.5.3+dfsg-1) unstable; urgency=low [ Harlan Lieberman-Berg ] * New upstream version. * Update Ansible homepage URL. * Add FontAwesome to d/copyright, remove non-existant files. * Refresh all patches, removing some related to documentation. * Add new dependency on python-crypto. [ Michael Vogt ] * add "sshpass" to Suggests * add "openssh-client | python-paramiko" to depends -- Michael Vogt Tue, 18 Mar 2014 14:33:23 +0100 ansible (1.4.5+dfsg-1) unstable; urgency=medium * New upstream release -- Michael Vogt Thu, 20 Feb 2014 08:58:14 +0100 ansible (1.4.4+dfsg-1) unstable; urgency=low * New upstream release -- Michael Vogt Tue, 07 Jan 2014 19:58:44 +0100 ansible (1.4.3+dfsg-2) unstable; urgency=low * add "Suggests: ansible-doc" to the dependency, thanks to Ben Finney (closes: #729350) * Fix Vcs-Browser, thanks to Alessandro Ghedini (closes: #731482) -- Michael Vogt Tue, 07 Jan 2014 10:58:44 +0100 ansible (1.4.3+dfsg-1) unstable; urgency=low * New upstream release -- Michael Vogt Fri, 27 Dec 2013 09:48:35 +0100 ansible (1.4.1+dfsg-1) unstable; urgency=low * New upstream version * add asciidoc build-depends -- Michael Vogt Tue, 03 Dec 2013 08:17:05 +0100 ansible (1.4.0+dfsg-1) unstable; urgency=low * new upstream version * debian/rules: - remove sed manpage fixes, fixed upstream * debian/patches/fix-html-makefile: - removed, fixed upstream -- Michael Vogt Sun, 24 Nov 2013 10:41:27 +0100 ansible (1.3.4+dfsg-1) unstable; urgency=low [ Harlan Lieberman-Berg ] * New upstream release (Closes: #717777). Fixes CVE-2013-2233 (Closes: #714822). Fixes CVE-2013-4259 (Closes: #721766). * Drop fix-ansible-cfg patch. * Change docsite generation to not expect docs as part of a wordpress install. * Add trivial patch to fix lintian error with rpm-key script. * Add patch header information to fix-html-makefile. [ Michael Vogt ] * add myself to uploader * build/ship the module manpages for ansible in the ansible package -- Michael Vogt Fri, 01 Nov 2013 09:40:59 +0100 ansible (1.2.1+dfsg-1) unstable; urgency=low * New upstream release. * Drop remove-external-training-references.patch -- Michael Vogt Sat, 13 Jul 2013 21:40:49 +0200 ansible (1.1+dfsg-1) unstable; urgency=low * New upstream release. * Update patches disable-google-analytics.patch and remove-external-image.patch to apply cleanly. * Add remove-external-footer-image.patch to remove link on external resource. * Add remove-external-training-references.patch: Training advertise contains links to external resources that may not be available or may be used for tracking users activity without their knowledge by the third-party. -- Janos Guljas Sat, 06 Apr 2013 23:27:08 +0200 ansible (0.9+dfsg-1) unstable; urgency=low * Initial release. (Closes: #698428) -- Janos Guljas Wed, 23 Jan 2013 01:52:40 +0100