[Bug 241734] sysutils/ansible: Update to 2.9.6
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Mar 26 10:37:36 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241734
--- Comment #5 from Muhammad Moinur Rahman <bofh at freebsd.org> ---
Version 2.8.7 is Vulnerable to CVE-2019-14904
- **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
performs actions related to that. However, there is no user input validation
done while performing actions. A malicious user could provide a crafted zone
name which allows executing commands into the server manipulating the module
behaviour. Adding user input validation as per Solaris Zone documentation
fixes this issue.
- CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
is used for destination name and performs actions related to that on the
device using the value of remote_file which is of string type However, there
is no user input validation done while performing actions. A malicious code
could crafts the filename parameter to take advantage by performing an OS
command injection. This fix validates the option value if it is legitimate
file path or not.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-python
mailing list