Date: Wed, 5 May 2021 08:39:31 GMT From: Mateusz Piotrowski <0mp@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 56db8443c94a - main - security/vuxml: Document Ansible vulnerability Message-ID: <202105050839.1458dV7P043989@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by 0mp: URL: https://cgit.FreeBSD.org/ports/commit/?id=56db8443c94a9784fdc9d3b6d58eacf16fc14c60 commit 56db8443c94a9784fdc9d3b6d58eacf16fc14c60 Author: Mateusz Piotrowski <0mp@FreeBSD.org> AuthorDate: 2021-05-05 08:38:42 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2021-05-05 08:39:44 +0000 security/vuxml: Document Ansible vulnerability --- security/vuxml/vuln.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 1ca3774094ad..62c7279178d7 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,54 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="50ec3a01-ad77-11eb-8528-8c164582fbac"> + <topic>Ansible -- Insecure Temporary File</topic> + <affects> + <package> + <name>py36-ansible</name> + <name>py37-ansible</name> + <name>py38-ansible</name> + <name>py39-ansible</name> + <name>py36-ansible27</name> + <range><ge>2.9.0</ge><le>2.9.9</le></range> + </package> + <package> + <name>py37-ansible27</name> + <name>py38-ansible27</name> + <name>py39-ansible27</name> + <range><ge>2.7.0</ge><le>2.7.18</le></range> + </package> + <package> + <name>py36-ansible28</name> + <name>py37-ansible28</name> + <name>py38-ansible28</name> + <name>py39-ansible28</name> + <range><ge>2.8.0</ge><le>2.8.12</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>NVD reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2020-10744">; + <p> + An incomplete fix was found for the fix of the flaw CVE-2020-1733 + ansible: insecure temporary directory when running become_user from + become directive. The provided fix is insufficient to prevent the + race condition on systems using ACLs and FUSE filesystems.. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-10744</url>; + <cvename>CVE-2020-10744</cvename> + </references> + <dates> + <discovery>2020-05-15</discovery> + <entry>2021-05-05</entry> + </dates> + </vuln> + <vuln vid="1766359c-ad6e-11eb-b2a4-080027e50e6d"> <topic>Django -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105050839.1458dV7P043989>