Hi, the updated pull request now also contains tests, which made it easier for me to reproduce the issue. I will prepare an update for sid on Sunday/Monday, and evaluate if this also applies for stable. AFAICS this has a low impact, as it requires an attacker to provide the template files (or a user to write faulty templates and not verify the output), which already has grave security implications by itself.
Then again the RH bug tracker hints that it might be used to leak passwords [0] (through the authorized_key module?), though the pull request does not contain any changes there. Information on this CVE is unfortunately rather vague. [0] https://bugzilla.redhat.com/show_bug.cgi?id=1717311 Regards, Lee On 06/06/2019 14:16, Salvatore Bonaccorso wrote: > Source: ansible > Severity: important > Tags: security upstream > Forwarded: https://github.com/ansible/ansible/pull/57188 > > Hi, > > The following vulnerability was published for ansible, can you check > for which Debian versions this is relevant and adjust the found > versions? > > CVE-2019-10156[0]: > templating causing an unexpected key file to be set on remote node > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10156 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156 > [1] https://github.com/ansible/ansible/pull/57188 > > Regards, > Salvatore >
