Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.7] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry #68716

Merged
merged 5 commits into from
Apr 15, 2020
Merged

[2.7] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry #68716

merged 5 commits into from
Apr 15, 2020

Conversation

s-hertel
Copy link
Contributor

@s-hertel s-hertel commented Apr 6, 2020
edited by mattclay

SUMMARY

Backport of ansible-collections/community.general#113

Fix for CVE-2020-1746

Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html

Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.

ISSUE TYPE
  • Bugfix Pull Request
  • Docs Pull Request
COMPONENT NAME
  • lib/ansible/modules/net_tools/ldap/ldap_entry.py
  • lib/ansible/modules/net_tools/ldap/_ldap_attr.py

abadger and others added 3 commits April 6, 2020 13:29
@abadger @s-hertel
Remove the params module option from ldap_attr and ldap_entry
992a4a9 
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html

Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.

Fixes CVE-2020-1746

(cherry picked from commit 0ff609f)
@s-hertel @felixfontein
Fix formatting for option names
4cab46b 
Co-Authored-By: Felix Fontein <felix@fontein.de>
@s-hertel
Fix fail_json
f734907
@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. net_tools Net-tools category support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Apr 6, 2020
@ansibot

This comment has been minimized.

Sign in to view
@ansibot ansibot added ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Apr 6, 2020
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. test This PR relates to tests. and removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Apr 6, 2020
@bcoca bcoca added the P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed label Apr 6, 2020
@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Apr 6, 2020
@s-hertel s-hertel force-pushed the 2.7-community.general.ldap_params_fix branch from be61431 to c3fbc6b Compare April 9, 2020 18:41
@mattclay mattclay merged commit edd1e17 into ansible:stable-2.7 Apr 15, 2020
@ansible ansible locked and limited conversation to collaborators May 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cbudz cbudz cbudz left review comments

@felixfontein felixfontein felixfontein requested changes

Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. module This issue/PR relates to a module. net_tools Net-tools category P1 Priority 1 - Immediate Attention Required; Release Immediately After Fixed support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@s-hertel @ansibot @felixfontein @cbudz @mattclay @bcoca @abadger