Security update for ansible SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:4152-1 Final 1 1 2021-12-22T09:58:27Z current 2021-12-22T09:58:27Z 2021-12-22T09:58:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ansible This update for ansible fixes the following issues: Update to 2.9.27: - CVE-2021-3620: ansible-connection module discloses sensitive info in traceback error message (bsc#1187725). - CVE-2021-3583: Template Injection through yaml multi-line strings with ansible facts used in template (bsc#1188061). - ansible module nmcli is broken in ansible 2.9.13 (bsc#1176460) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2021-4152,SUSE-2021-4152,SUSE-OpenStack-Cloud-8-2021-4152,SUSE-OpenStack-Cloud-Crowbar-8-2021-4152 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20214152-1/ Link for SUSE-SU-2021:4152-1 https://lists.suse.com/pipermail/sle-security-updates/2021-December/009930.html E-Mail link for SUSE-SU-2021:4152-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1176460 SUSE Bug 1176460 https://bugzilla.suse.com/1187725 SUSE Bug 1187725 https://bugzilla.suse.com/1188061 SUSE Bug 1188061 https://www.suse.com/security/cve/CVE-2021-3583/ SUSE CVE CVE-2021-3583 page https://www.suse.com/security/cve/CVE-2021-3620/ SUSE CVE CVE-2021-3620 page HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 ansible-2.9.27-3.21.1 ansible-doc-2.9.27-3.21.1 ansible-test-2.9.27-3.21.1 ansible-2.9.27-3.21.1 as a component of HPE Helion OpenStack 8 ansible-2.9.27-3.21.1 as a component of SUSE OpenStack Cloud 8 ansible-2.9.27-3.21.1 as a component of SUSE OpenStack Cloud Crowbar 8 A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity. CVE-2021-3583 HPE Helion OpenStack 8:ansible-2.9.27-3.21.1 SUSE OpenStack Cloud 8:ansible-2.9.27-3.21.1 SUSE OpenStack Cloud Crowbar 8:ansible-2.9.27-3.21.1 important 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20214152-1/ https://www.suse.com/security/cve/CVE-2021-3583.html CVE-2021-3583 https://bugzilla.suse.com/1188061 SUSE Bug 1188061 A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. CVE-2021-3620 HPE Helion OpenStack 8:ansible-2.9.27-3.21.1 SUSE OpenStack Cloud 8:ansible-2.9.27-3.21.1 SUSE OpenStack Cloud Crowbar 8:ansible-2.9.27-3.21.1 important 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20214152-1/ https://www.suse.com/security/cve/CVE-2021-3620.html CVE-2021-3620 https://bugzilla.suse.com/1187725 SUSE Bug 1187725