Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.9] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry #68714

Merged
merged 4 commits into from Apr 15, 2020
Merged

[2.9] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry #68714

merged 4 commits into from Apr 15, 2020

Conversation

s-hertel
Copy link
Contributor

@s-hertel s-hertel commented Apr 6, 2020
edited by relrod

SUMMARY

Based on #67866

Updated in community.general in ansible-collections/community.general#113

Fix for CVE-2020-1746

Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html

Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.

Backport of ansible-collections/community.general#113

ISSUE TYPE
  • Bugfix Pull Request
  • Docs Pull Request
COMPONENT NAME
  • lib/ansible/modules/net_tools/ldap/ldap_entry.py
  • lib/ansible/modules/net_tools/ldap/_ldap_attr.py

abadger and others added 3 commits April 6, 2020 12:51
@abadger @s-hertel
Remove the params module option from ldap_attr and ldap_entry
a7fe1a7 
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html

Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.

Fixes CVE-2020-1746

(cherry picked from commit 0ff609f)
@s-hertel @felixfontein
Fix formatting for option names
73d1bbb 
Co-Authored-By: Felix Fontein <felix@fontein.de>
@s-hertel
Fix fail_json
64efa41
@s-hertel s-hertel requested a review from abadger April 6, 2020 17:35
@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. net_tools Net-tools category support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests. labels Apr 6, 2020
abadger
abadger approved these changes Apr 6, 2020
View reviewed changes
Copy link
Contributor

@abadger abadger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me +1

@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Apr 6, 2020
@bcoca bcoca added the P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed label Apr 6, 2020
This was referenced Apr 7, 2020
Merged
Merged
@s-hertel s-hertel force-pushed the 2.9-community.general.ldap_params_fix branch from 2e485a0 to 6338e8f Compare April 9, 2020 18:43
felixfontein
felixfontein approved these changes Apr 9, 2020
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mattclay mattclay merged commit d41e384 into ansible:stable-2.9 Apr 15, 2020
@ansible ansible locked and limited conversation to collaborators May 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@abadger abadger abadger approved these changes

@felixfontein felixfontein felixfontein approved these changes

Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. net_tools Net-tools category P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@s-hertel @abadger @felixfontein @mattclay @bcoca @ansibot