Amazon Linux 2023 Security Advisory: ALAS-2024-505
Advisory Release Date: 2024-02-01 17:56 Pacific
Advisory Updated Date: 2024-02-06 15:00 Pacific
The upstream report describes this issue as follows:
When installing a maliciously created Ansible role using 'ansible-galaxy role install', arbitrary files the user has access to can be overwritten. The malicious role must contain a symlink with an absolute path to the target file, followed by a file of the same name (as the symlink) with the contents to write to the target. (CVE-2023-5115)
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. (CVE-2024-0690)
Affected Packages:
ansible-core
Issue Correction:
Run dnf update ansible-core --releasever 2023.3.20240205 to update your system.
aarch64:
ansible-test-2.15.3-1.amzn2023.0.3.aarch64
ansible-core-2.15.3-1.amzn2023.0.3.aarch64
src:
ansible-core-2.15.3-1.amzn2023.0.3.src
x86_64:
ansible-test-2.15.3-1.amzn2023.0.3.x86_64
ansible-core-2.15.3-1.amzn2023.0.3.x86_64