IMPORTANT - New RCs for Security Bug CVE-2016-9587

unread,

Jan 9, 2017, 11:57:15 AM1/9/17

to ansible...@googlegroups.com, ansibl...@googlegroups.com

Hi all,

Today we are releasing two new release candidates to address CVE-2016-9587,

which we are removing from embargo today:

2.1.4 RC1

2.2.1 RC3

CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed

via Ansible can lead to commands being run on the Ansible controller (as the user

running the ansible or ansible-playbook command).

If you have the ability, please test the above release candidates so that we can get

the final releases out as quickly as possible.

Finally, thanks to the security team at Computest, who did an amazing job of finding

the flaws and creating an excellent set of tests to reproduce them for us.

Thanks, and let us know if you run into any problems with the above release candidates!

James Cammarata

Ansible Lead/Sr. Principal Software Engineer

Ansible by Red Hat

twitter: @thejimic, github: jimi-c

unread,

Jan 10, 2017, 12:20:52 PM1/10/17

to Ansible Development, ansible...@googlegroups.com

Hi,

there is a new bug with service restart and refresh on Solaris 10.

I added a comment in https://github.com/ansible/ansible-modules-core/issues/5296 where the bug was introduced (with a fix for Solaris 11).

Regards,

Bernhard

unread,

Jan 10, 2017, 12:34:30 PM1/10/17

to Bernhard L., Ansible Development, ansible...@googlegroups.com

Please don't comment on closed issues as we don't see those normally.

----------

Brian Coca

unread,

Jan 11, 2017, 10:19:16 AM1/11/17

to Ansible Development, lib...@gmail.com, ansible...@googlegroups.com

I'm sorry.

unread,

Jan 12, 2017, 12:18:29 AM1/12/17

to Bryan Pfremmer, Ansible Development, ansible...@googlegroups.com

Most older versions should be vulnerable, we recommend upgrading to 2.1 or 2.2 once we release the fix.