IMPORTANT - Updated RCs for Security Bug CVE-2016-9587
71 views
Skip to first unread message
James Cammarata
Jan 11, 2017, 5:36:22 PM1/11/17
to ansible...@googlegroups.com, ansibl...@googlegroups.com
Hi all,
We've just released the following release candidates to address a few more corner cases found after the release of the previous RCs for CVE-2016-9587:
2.1.4 RC2
2.2.1 RC4
Thanks again to Computest for double-checking our fixes and pointing out a couple of places we had missed.
We are still looking to get the final releases out by the end of the week, so please be sure to test these RC's for any breaks in your playbooks.
Thanks!
James Cammarata
Ansible Lead/Sr. Principal Software Engineer
Ansible by Red Hat
twitter: @thejimic, github: jimi-c
ro...@pandastrike.com
Jan 12, 2017, 3:38:34 PM1/12/17
to Ansible Project, ansibl...@googlegroups.com
Thanks James and Ansible team.
I presume that this affects Ansible 2.0 and 1.9, but the CVE text is a little ambiguous: (Affected versions: < 2.1.4, < 2.2.1).
Can you or someone from Ansible confirm? If 1.9 is affected, will the fix will be back-ported?
Thank you,
Robb
ro...@pandastrike.com
Jan 12, 2017, 3:43:49 PM1/12/17
to Ansible Project, ansibl...@googlegroups.com
According to the Gentoo bug (https://bugs.gentoo.org/show_bug.cgi?id=605342#c4) 1.9.4 is affected.
ja...@blendlabs.com
Jan 12, 2017, 4:30:52 PM1/12/17
to Ansible Project, ansibl...@googlegroups.com
Just to be clear this affects both ansible-pull and ansible-push right? When the RC's are ready will it be posted in Announcements and be available via pypi?
Brian Coca
Jan 12, 2017, 4:39:06 PM1/12/17
to ansible...@googlegroups.com, Ansible Development
once ready we will push to all the normal channels we control (including pypi), until then you can try out the RC at http://releases.ansible.com/ansible/ansible-2.2.1.0-0.4.rc4.tar.gz
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages