Hi all,
> - user module - do not pass ssh_key_passphrase on cmdline
> (CVE-2018-16837)
Just a heads-up that I've fixed CVE-2018-16837 (#912297) in jessie,
pushed this to the "jessie" branch on Salsa and tagged it as
"debian/1.7.2+dfsg-2+deb8u1".
Regards,
--
,''`.
: :'
On Sun, Nov 11, 2018 at 12:15:52AM +0100, Lee Garrett wrote:
> Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
> in question I have is for CVE-2018-10855, which is already checked in on the
> stretch branch of the packaging repo.
>
> For some reason the security
Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
in question I have is for CVE-2018-10855, which is already checked in on the
stretch branch of the packaging repo.
For some reason the security tracker has this CVE marked as "not affected",
although I could reproduce
On Thu, Nov 08, 2018 at 11:51:49AM +0100, Lee Garrett wrote:
> Hi,
>
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
>
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch
Hi,
sorry for the late response. CVE-2018-16837 should be fairly straight-forward
to fix in stretch and jessie.
For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
it to the git stretch branch tomorrow (not on my work machine right now).
For CVE-2018-10874, it's not
Hi Moritz,
> > > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> > [..]
> > > - user module - do not pass ssh_key_passphrase on cmdline
> > > (CVE-2018-16837)
[…]
> We can fix that one in a DSA, but should also fix CVE-2018-10875
> and CVE-2018-10874, then.
Cool. I will
On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
> Hi Ivo,
>
> > From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
> [..]
> > - user module - do not pass ssh_key_passphrase on cmdline
> > (CVE-2018-16837)
>
> Thanks for providing this and no problem that this
Chris Lamb wrote:
> Security team: This still affects stretch and jessie [unless]
> I'm missing something - would you like me to prepare an upload for
> stable? I'm happy to take the LTS side of things.
Gentle ping on this?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'`
Hi Chris,
On 10/30/2018 05:35 AM, Chris Lamb wrote:
From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
[..]
- user module - do not pass ssh_key_passphrase on cmdline
(CVE-2018-16837)
Thanks for providing this and no problem that this wasn't in the
changelog.
Security
Hi Ivo,
> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
[..]
> - user module - do not pass ssh_key_passphrase on cmdline
> (CVE-2018-16837)
Thanks for providing this and no problem that this wasn't in the
changelog.
Security team: This still affects stretch and jessie as
Package: ansible
Version: 1.7.2+dfsg-2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for ansible.
CVE-2018-16837[0]:
| Ansible "User" module leaks any data which is passed on as a parameter
| to ssh-keygen. This could lean in
11 matches
Mail list logo
