Ansible 1.6.4 update - security release

[Michael DeHaan]

Hi everyone,

Today we have updated Ansible to fix a security problem where specifically constructed untrusted data can cause the Ansible tool to execute unwanted inputs on the control machine.

This update is available in PyPi now, as well as on releases.ansible.com in tarball form.

All users are encouraged to update.

--Michael

[Michael DeHaan]

Credit for this find goes to Florian Weimer of Red Hat - thank you Florian!

As a reminder, Ansible practices responsible disclosure - if you ever find a issue or think you have found one, please email us at secu...@ansible.com and we will reply to you as soon as possible.

[Brian Harring]

For security releases, can y'all please include a bit more detail on the vulnerability?  I'd assume y'all found an issue in safe_eval (since that's the only thing that changed), but no description of the input used was covered- so it's hard to evaluate if the fix was enough.

I realize it's a fine line, but it's always been a bit hard to make informed decisions on prioritizing updates when folks are told "there was a vuln, upgrade".

Cheers-
~brian

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgw53arArumx910mDxF-bA-QNFAnZDi%3Dnf7519ueM6cKBA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

Hi Brian,

This is absolutely template related - apologies on this not being clear.

That all being said, we're not really wishing to provide information that allows people to exploit a vulnerability prior to people having time to patch it, so we're not going to publish the example of how to trigger this -- so I hope that info helps. 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMMrfH6J3rYJ5e7Z%3DXFJmTWp7Qh4GQvaQHexRvHpjMppNWCV0Q%40mail.gmail.com.