{"id":"MGASA-2020-0060","summary":"Updated ansible package fixes security vulnerabilities","details":"A flaw was found in the solaris_zone module from the Ansible Community\nmodules. When setting the name for the zone on the Solaris host, the\nzone name is checked by listing the process with the 'ps' bare command\non the remote machine. An attacker could take advantage of this flaw by\ncrafting the name of the zone and executing arbitrary commands in the\nremote host (CVE-2019-14904).\n\nA vulnerability in Ansible's nxos_file_copy module can be used to copy\nfiles to a flash or bootflash on NXOS devices. Malicious code could\ncraft the filename parameter to perform OS command injections. This\ncould result in a loss of confidentiality of the system among other\nissues (CVE-2019-14905).\n","modified":"2026-04-16T04:44:25.295227731Z","published":"2020-01-28T07:52:40Z","upstream":["CVE-2019-14904","CVE-2019-14905"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0060.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26125"},{"type":"WEB","url":"https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0217"}],"affected":[{"package":{"name":"ansible","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/ansible?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.16-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0060.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}