On Wed, Aug 07, 2019 at 12:49:11PM +0200, Salvatore Bonaccorso wrote: > Source: ansible > Version: 2.8.3+dfsg-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/ansible/ansible/issues/56269 > > Hi, > > The following vulnerability was published for ansible. > > CVE-2019-10217[0]: > | gcp modules do not flag sensitive data fields properly > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10217 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10217 > [1] https://github.com/ansible/ansible/issues/56269 > [2] https://github.com/ansible/ansible/pull/59427 >
It looks like the GCP module was introduced by this upstream commit: commit 9706abf68518dc0f663f23f64475f2b270851ae4 Author: Alex Stephen <alexstep...@google.com> Date: Tue Feb 6 08:50:16 2018 -0800 [cloud] New GCP module: DNS Managed Zones (gcp_dns_managed_zone.py) (#35014) Based on that I have annotated the CVE as not affecting ansible in jessie. It may likewise not affect the versions in stretch and buster. Regards, -Roberto -- Roberto C. Sánchez