{"affected":[{"ecosystem_specific":{"binaries":[{"ansible":"2.9.6-bp151.3.6.1","ansible-doc":"2.9.6-bp151.3.6.1","ansible-test":"2.9.6-bp151.3.6.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP1","name":"ansible","purl":"pkg:rpm/suse/ansible&distro=SUSE%20Package%20Hub%2015%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.9.6-bp151.3.6.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for ansible to version 2.9.6 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted solaris zone (boo#1157968).\n- CVE-2019-14905: Fixed an issue where malicious code could craft filename in nxos_file_copy module (boo#1157969).\n- CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830).\n- CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (boo#1153452)\n- CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232)\n- CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked\n  and will be displayed when run with increased verbosity (boo#1154231) \n- CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by\n  expanding them from templates as they could contain special characters. \n  Passwords should be wrapped to prevent templates trigger and exposing them. (boo#1142690)\n- CVE-2019-10217: Fields managing sensitive data should be set as such by no_log\n  feature. Some of these fields in GCP modules are not set properly. \n  service_account_contents() which is common class for all gcp modules is not \n  setting no_log to True. Any sensitive data managed by that function would be \n  leak as an output when running ansible playbooks. (boo#1144453)\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.","id":"openSUSE-SU-2020:0523-1","modified":"2020-04-16T04:12:24Z","published":"2020-04-16T04:12:24Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3SH4AT6KRZ24IXOK2Y7INQZBHCB55MT7/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1137479"},{"type":"REPORT","url":"https://bugzilla.suse.com/1142542"},{"type":"REPORT","url":"https://bugzilla.suse.com/1142690"},{"type":"REPORT","url":"https://bugzilla.suse.com/1144453"},{"type":"REPORT","url":"https://bugzilla.suse.com/1153452"},{"type":"REPORT","url":"https://bugzilla.suse.com/1154231"},{"type":"REPORT","url":"https://bugzilla.suse.com/1154232"},{"type":"REPORT","url":"https://bugzilla.suse.com/1154830"},{"type":"REPORT","url":"https://bugzilla.suse.com/1157968"},{"type":"REPORT","url":"https://bugzilla.suse.com/1157969"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-10206"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-10217"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14846"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14856"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14858"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14864"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14904"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-14905"}],"related":["CVE-2019-10206","CVE-2019-10217","CVE-2019-14846","CVE-2019-14856","CVE-2019-14858","CVE-2019-14864","CVE-2019-14904","CVE-2019-14905"],"summary":"Security update for ansible","upstream":["CVE-2019-10206","CVE-2019-10217","CVE-2019-14846","CVE-2019-14856","CVE-2019-14858","CVE-2019-14864","CVE-2019-14904","CVE-2019-14905"]}