Bug 1008038 (CVE-2016-8614) - VUL-0: CVE-2016-8614: ansible: Improper verification of key fingerprints in apt_key module
Summary: VUL-0: CVE-2016-8614: ansible: Improper verification of key fingerprints in a...
Status: RESOLVED FIXED
Alias: CVE-2016-8614
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Lars Vogdt
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/174312/
Whiteboard: CVSSv2:RedHat:CVE-2016-8614:6.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-02 09:29 UTC by Sebastian Krahmer
Modified: 2024-05-06 12:31 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-11-02 09:29:03 UTC 
Quoting from RH BZ:

It was found that apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.


rh#1388038


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1388038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8614
Comment 6 Jan Matejek 2016-11-29 15:03:21 UTC 
this repository contains the updated package, plus a patch for bug 1010940 that is not fixed in 2.2.0.0

https://build.suse.de/package/show/home:matejcik:branches:OBS_Maintained:ansible/ansible.SUSE_SLE-11-SP3_Update_Teradata
Comment 7 Roberto Angelino 2017-01-05 17:00:26 UTC 
(In reply to Jan Matejek from comment #6)
> this repository contains the updated package, plus a patch for bug 1010940
> that is not fixed in 2.2.0.0
> 
> https://build.suse.de/package/show/home:matejcik:branches:OBS_Maintained:
> ansible/ansible.SUSE_SLE-11-SP3_Update_Teradata

Teradata says PTF are good.  We can go to maint. with these.   

Thanks.
Comment 8 Jan Matejek 2017-01-06 17:59:16 UTC 
submitted to SUSE:SLE-11-SP3:Update:Teradata, SR 126192

whoever is responsible for Teradata maintenance (Holger?), please take ownership of this bug for further handling
Comment 14 Marcus Meissner 2017-02-08 12:40:37 UTC 
need opensuse updates still
Comment 17 Bernhard Wiedemann 2017-10-29 17:01:19 UTC 
This is an autogenerated message for OBS integration:
This bug (1008038) was mentioned in
https://build.opensuse.org/request/show/537425 42.2+42.3+Backports:SLE-12 / ansible
Comment 18 Bernhard Wiedemann 2017-10-30 17:01:29 UTC 
This is an autogenerated message for OBS integration:
This bug (1008038) was mentioned in
https://build.opensuse.org/request/show/537596 42.2+42.3+Backports:SLE-12 / ansible
Comment 19 Swamp Workflow Management 2017-11-10 17:10:56 UTC 
openSUSE-SU-2017:2976-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
openSUSE Leap 42.3 (src):    ansible-2.4.1.0-6.1
openSUSE Leap 42.2 (src):    ansible-2.4.1.0-2.4.1
Comment 20 Swamp Workflow Management 2017-11-10 17:12:01 UTC 
openSUSE-SU-2017:2978-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008037,1008038,1019021,1038785,1065872
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-9587,CVE-2017-7481,CVE-2017-7550
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ansible-2.4.1.0-6.1
Comment 21 Lars Vogdt 2017-12-02 03:39:35 UTC 
closing, according to latest SWAMP comments.
Comment 26 Swamp Workflow Management 2020-11-12 17:19:32 UTC 
SUSE-SU-2020:3309-1: An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

Category: security (important)
Bug References: 1008037,1008038,1010940,1019021,1038785,1056094,1059235,1080682,1097775,1102126,1109957,1112959,1117080,1118896,1123561,1126503,1137479,1137528,1142121,1142542,1144453,1153452,1154231,1154232,1154830,1157968,1157969,1159447,1161919,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165022,1165393,1166389,1167440,1167532,1171162,1171823,1172450,1173413,1173416,1173418,1174006,1174145,1174242,1174302,1174583,1175484,1175986,1175993,1177120,1177948
CVE References: CVE-2016-8614,CVE-2016-8628,CVE-2016-8647,CVE-2016-9587,CVE-2017-7466,CVE-2017-7550,CVE-2018-10875,CVE-2018-11779,CVE-2018-16837,CVE-2018-16859,CVE-2018-16876,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2019-0202,CVE-2019-10156,CVE-2019-10206,CVE-2019-10217,CVE-2019-14846,CVE-2019-14856,CVE-2019-14858,CVE-2019-14864,CVE-2019-14904,CVE-2019-14905,CVE-2019-19844,CVE-2019-3828,CVE-2020-10177,CVE-2020-10378,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-10744,CVE-2020-10994,CVE-2020-11110,CVE-2020-14330,CVE-2020-14332,CVE-2020-14365,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-17376,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2020-25032,CVE-2020-26137,CVE-2020-7471,CVE-2020-9402
JIRA References: SOC-10300,SOC-10522,SOC-10616,SOC-11000,SOC-11223,SOC-11342,SOC-11352,SOC-11364,SOC-11386,SOC-11389,SOC-11391,SOC-6780,SOC-9974,SOC-9998
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.14-3.15.1, crowbar-core-5.0+git.1600432272.b3ad722f0-3.44.1, crowbar-openstack-5.0+git.1599037158.5c4d07480-4.43.1, documentation-suse-openstack-cloud-deployment-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Pillow-4.2.1-3.9.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, rubygem-crowbar-client-3.9.3-1.1, storm-1.2.3-3.6.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-suse-openstack-cloud-installation-8.20201007-1.29.1, documentation-suse-openstack-cloud-operations-8.20201007-1.29.1, documentation-suse-openstack-cloud-opsconsole-8.20201007-1.29.1, documentation-suse-openstack-cloud-planning-8.20201007-1.29.1, documentation-suse-openstack-cloud-security-8.20201007-1.29.1, documentation-suse-openstack-cloud-supplement-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-admin-8.20201007-1.29.1, documentation-suse-openstack-cloud-upstream-user-8.20201007-1.29.1, documentation-suse-openstack-cloud-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-straight-plugin-1.5.0-1.3.1, python-urllib3-1.22-5.12.1, release-notes-suse-openstack-cloud-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1
HPE Helion Openstack 8 (src):    ansible-2.9.14-3.15.1, ardana-ansible-8.0+git.1596735237.54109b1-3.77.1, ardana-cinder-8.0+git.1596129856.263f430-3.43.1, ardana-glance-8.0+git.1593631779.76fa9b7-3.24.1, ardana-mq-8.0+git.1593618123.678c32b-3.26.1, ardana-nova-8.0+git.1601298847.dd01585-3.42.1, ardana-osconfig-8.0+git.1595885113.93abcbc-3.49.1, documentation-hpe-helion-openstack-installation-8.20201007-1.29.1, documentation-hpe-helion-openstack-operations-8.20201007-1.29.1, documentation-hpe-helion-openstack-opsconsole-8.20201007-1.29.1, documentation-hpe-helion-openstack-planning-8.20201007-1.29.1, documentation-hpe-helion-openstack-security-8.20201007-1.29.1, documentation-hpe-helion-openstack-user-8.20201007-1.29.1, grafana-6.7.4-4.12.1, grafana-natel-discrete-panel-0.0.9-3.3.6, openstack-cinder-11.2.3~dev29-3.28.2, openstack-cinder-doc-11.2.3~dev29-3.28.1, openstack-monasca-installer-20190923_16.32-3.15.1, openstack-neutron-11.0.9~dev69-3.37.2, openstack-neutron-doc-11.0.9~dev69-3.37.1, openstack-nova-16.1.9~dev76-3.39.2, openstack-nova-doc-16.1.9~dev76-3.39.1, python-Django-1.11.29-3.19.2, python-Flask-Cors-3.0.3-3.3.1, python-Pillow-4.2.1-3.9.2, python-ardana-packager-0.0.3-7.7.2, python-keystoneclient-3.13.1-3.3.2, python-keystonemiddleware-4.17.1-5.3.1, python-kombu-4.1.0-3.7.1, python-urllib3-1.22-5.12.1, release-notes-hpe-helion-openstack-8.20200922-3.23.1, storm-1.2.3-3.6.1, venv-openstack-aodh-5.1.1~dev7-12.28.1, venv-openstack-barbican-5.0.2~dev3-12.29.1, venv-openstack-ceilometer-9.0.8~dev7-12.26.1, venv-openstack-cinder-11.2.3~dev29-14.30.1, venv-openstack-designate-5.0.3~dev7-12.27.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.24.1, venv-openstack-glance-15.0.3~dev3-12.27.1, venv-openstack-heat-9.0.8~dev22-12.29.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.32.1, venv-openstack-ironic-9.1.8~dev8-12.29.1, venv-openstack-keystone-12.0.4~dev11-11.30.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.28.1, venv-openstack-manila-5.1.1~dev5-12.33.1, venv-openstack-monasca-2.2.2~dev1-11.24.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.24.1, venv-openstack-murano-4.0.2~dev2-12.24.1, venv-openstack-neutron-11.0.9~dev69-13.32.1, venv-openstack-nova-16.1.9~dev76-11.30.1, venv-openstack-octavia-1.0.6~dev3-12.29.1, venv-openstack-sahara-7.0.5~dev4-11.28.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.21.1, venv-openstack-trove-8.0.2~dev2-11.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Maintenance Automation 2024-04-24 12:30:05 UTC 
SUSE-SU-2024:1427-1: An update that solves eight vulnerabilities, contains one feature and has 11 security fixes can now be installed.

Category: security (moderate)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219887, 1219912, 1220371, 1221092
CVE References: CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-14365, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690
Jira References: MSQA-759
Maintenance Incident: [SUSE:Maintenance:33400](https://smelt.suse.de/incident/33400/)
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src):
 ansible-2.9.27-159000.3.12.2, spacecmd-5.0.5-159000.6.48.2, grafana-9.5.16-159000.4.30.2, supportutils-plugin-susemanager-client-5.0.3-159000.6.21.2, uyuni-tools-0.1.7-159000.3.8.1, POS_Image-Graphical7-0.1.1710765237.46af599-159000.3.24.2, dracut-saltboot-0.1.1710765237.46af599-159000.3.33.2, spacewalk-client-tools-5.0.4-159000.6.54.2, POS_Image-JeOS7-0.1.1710765237.46af599-159000.3.24.2
SUSE Manager Client Tools Beta for SLE Micro 5 (src):
 golang-github-prometheus-node_exporter-1.5.0-159000.6.2.1, uyuni-tools-0.1.7-159000.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Maintenance Automation 2024-05-06 12:31:06 UTC 
SUSE-SU-2024:1509-1: An update that solves 15 vulnerabilities, contains one feature and has four security fixes can now be installed.

Category: security (important)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219912, 1221092, 1221465, 1222155
CVE References: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33434](https://smelt.suse.de/incident/33434/)
Sources used:
openSUSE Leap 15.5 (src):
 spacecmd-4.3.27-150000.3.116.2, POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Client Tools for SLE 15 (src):
 POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, spacewalk-client-tools-4.3.19-150000.3.89.2, uyuni-common-libs-4.3.10-150000.1.39.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, mgr-daemon-4.3.9-150000.1.47.2, spacewalk-koan-4.3.6-150000.3.33.2, spacecmd-4.3.27-150000.3.116.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, grafana-9.5.18-150000.1.63.2
SUSE Manager Client Tools for SLE Micro 5 (src):
 uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2
SUSE Package Hub 15 15-SP5 (src):
 golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Proxy 4.3 Module 4.3 (src):
 ansible-2.9.27-150000.1.17.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.