| IMPORTANT - New RCs for Security Bug CVE-2016-9587 | James Cammarata | 09/01/17 08:57 | Hi all, Today we are releasing two new release candidates to address CVE-2016-9587, which we are removing from embargo today: 2.1.4 RC1 2.2.1 RC3 CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command). If you have the ability, please test the above release candidates so that we can get the final releases out as quickly as possible. Finally, thanks to the security team at Computest, who did an amazing job of finding the flaws and creating an excellent set of tests to reproduce them for us. Thanks, and let us know if you run into any problems with the above release candidates! James Cammarata Ansible Lead/Sr. Principal Software Engineer Ansible by Red Hat twitter: @thejimic, github: jimi-c |
| Re: IMPORTANT - New RCs for Security Bug CVE-2016-9587 | Bernhard L. | 10/01/17 09:20 | Hi, there is a new bug with service restart and refresh on Solaris 10. I added a comment in https://github.com/ansible/ansible-modules-core/issues/5296 where the bug was introduced (with a fix for Solaris 11). Regards, Bernhard |
| Re: [ansible-devel] Re: IMPORTANT - New RCs for Security Bug CVE-2016-9587 | Brian Coca | 10/01/17 09:34 | Please don't comment on closed issues as we don't see those normally. ---------- Brian Coca |
| Re: [ansible-devel] Re: IMPORTANT - New RCs for Security Bug CVE-2016-9587 | Bernhard L. | 11/01/17 07:19 | I'm sorry. Opened a new issue: https://github.com/ansible/ansible/issues/20102 |
| Re: [ansible-devel] Re: IMPORTANT - New RCs for Security Bug CVE-2016-9587 | Brian Coca | 11/01/17 21:18 | Most older versions should be vulnerable, we recommend upgrading to 2.1 or 2.2 once we release the fix. ---------- Brian Coca |