Bugzilla – Bug 938161
VUL-0: CVE-2015-3908: ansible: Improper TLS Certificate Validation in Ansible
Last modified: 2016-07-28 14:21:28 UTC
http://seclists.org/oss-sec/2015/q3/106 Versions of Ansible prior to 1.9.2 fail to adequately validate HTTPS certificates when using the get_url and uri modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections. The fix for this problem has been released as part of Ansible 1.9.2. The Ansible playbook below is a proof-of-concept that can be used to safely validate the incorrect behaviour: - name: a playbook demonstrating MITM in ansible hosts: 127.0.0.1 connection: local tasks: - name: this should fail get_url: url=https://kennethreitz.org/ dest="/tmp/shouldnotexist.html” This playbook attempts to download a HTML file from a site presenting a certificate that is valid, but not for the site in question. Versions of Ansible from 1.9.2 onward correctly fail to validate the certificate, but earlier versions will download the file regardless and the playbook will successfully exit. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3908 http://seclists.org/oss-sec/2015/q3/106
Fix: https://github.com/ansible/ansible/commit/be7c59c7bbe2c7cfaad0151c42693ebd0ea4243f
Thanks for pointing to the patch! Updated package (1.9.2 containing the fix) submitted to openSUSE:Factory Package containing the above fix submitted to 13.2 (ID 316936). Reassigning to security for further processing.
releasing update