FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0899c0d3-80f2-11ea-bafd-815569f3852dansible - win_unzip path normalization

Borja Tarraso reports:

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.


Discovery 2020-02-12
Entry 2020-04-17
ansible
< 2.8.9

ansible27
< 2.7.17

ansible26
< 2.7.17

ansible25
< 2.7.17

ansible24
< 2.7.17

ansible23
< 2.7.17

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737
https://github.com/ansible/ansible/issues/67795
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/
CVE-2020-1737
67dbeeb6-80f4-11ea-bafd-815569f3852dansible - subversion password leak from PID

Borja Tarraso reports:

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.


Discovery 2020-02-12
Entry 2020-04-17
ansible
< 2.8.9

ansible27
< 2.7.17

ansible26
< 2.7.17

ansible25
< 2.7.17

ansible24
< 2.7.17

ansible23
< 2.7.17

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739
https://github.com/ansible/ansible/issues/67797
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/
CVE-2020-1739
ae2e7871-80f6-11ea-bafd-815569f3852dansible - Vault password leak from temporary file

Borja Tarraso reports:

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.


Discovery 2020-02-12
Entry 2020-04-17
ansible
< 2.8.9

ansible27
< 2.7.17

ansible26
< 2.7.17

ansible25
< 2.7.17

ansible24
< 2.7.17

ansible23
< 2.7.17

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740
https://github.com/ansible/ansible/issues/67798
CVE-2020-1740