On Wed, Aug 07, 2019 at 12:49:11PM +0200, Salvatore Bonaccorso wrote:
> Source: ansible
> Version: 2.8.3+dfsg-1
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/ansible/ansible/issues/56269
>
> Hi,
>
> The following vulnerability was published for ansible.
>
> CVE-2019-10217[0]:
> | gcp modules do not flag sensitive data fields properly
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10217
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10217
> [1] https://github.com/ansible/ansible/issues/56269
> [2] https://github.com/ansible/ansible/pull/59427
>
It looks like the GCP module was introduced by this upstream commit:
commit 9706abf68518dc0f663f23f64475f2b270851ae4
Author: Alex Stephen <alexstep...@google.com>
Date: Tue Feb 6 08:50:16 2018 -0800
[cloud] New GCP module: DNS Managed Zones (gcp_dns_managed_zone.py) (#35014)
Based on that I have annotated the CVE as not affecting ansible in
jessie. It may likewise not affect the versions in stretch and buster.
Regards,
-Roberto
--
Roberto C. Sánchez
