ALT-PU-2014-1523-1
Closed vulnerabilities
Modified: 2024-11-21
CVE-2014-4658
The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.
Modified: 2024-11-21
CVE-2014-4659
Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.
Modified: 2024-11-21
CVE-2014-4660
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
- https://security-tracker.debian.org/tracker/CVE-2014-4660
- https://security-tracker.debian.org/tracker/CVE-2014-4660
- https://www.openwall.com/lists/oss-security/2014/06/26/19
- https://www.openwall.com/lists/oss-security/2014/06/26/19
- https://www.securityfocus.com/bid/68231
- https://www.securityfocus.com/bid/68231