Update Ansible to 2.4.5 or later

[emkll]

Description

Ansible 2.4.2 is used in:

• https://github.com/freedomofpress/securedrop/blob/develop/securedrop/requirements/develop-requirements.txt
• https://github.com/freedomofpress/securedrop/blob/develop/admin/requirements.txt

There is currently a CVE associated to this version of Ansible: CVE-2018-10855:

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Securedrop does not use no_log, and as such this vulnerability does not directly affect Securedrop. Updating Ansible will be required for CI to pass safety checks.

User Stories

As an admin, packages that are updated and do not have CVEs associated to them is good.

[ultimatecoder]

Ansible 2.4 is EOL source. Shouldn't it be upgraded to the lowest supported version which is 2.5.9?
Ansible v2.5.9 is greater than v2.5.5 as mentioned at CVE-2018-10855.

[redshiftzero]

Good flag @ultimatecoder, we should indeed update to at least the lowest supported version

[ultimatecoder]

@redshiftzero Thanks!