Bug 20115

Summary: ansible new security issue CVE-2016-9587
Product: Mageia Reporter: Philippe Makowski <makowski.mageia>
Component: SecurityAssignee: Bruno Cornec <bruno>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Articles/711357/
Whiteboard:
Source RPM: CVE: CVE-2016-9587
Status comment:

Description Philippe Makowski 2017-01-13 14:22:07 CET 
The Ansible project is currently posting release candidates for the 2.1.4 and 2.2.1 releases. They fix an important security bug: "CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)." Until this release is made, it would make sense to be especially careful about running Ansible against systems that might have been compromised. 

Ansible has released new versions that fix the vulnerabilities described in
this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.

I don't know yet if mga5 is also affected
Philippe Makowski 2017-01-13 14:23:55 CET

URL: (none) => https://lwn.net/Articles/711357/
Assignee: bugsquad => bruno
QA Contact: (none) => security

Jani Välimaa 2017-01-23 20:15:10 CET

Component: RPM Packages => Security

Comment 2 Bruno Cornec 2017-01-28 03:05:39 CET 
I updated cauldron with ansible 2.2.1.0

Let me know wht you think for mga5: should I backport it there (for me it's working, but it may create compatibility issues wrt 1.9.6 we have now)

Status: NEW => ASSIGNED

Comment 3 Nicolas Lécureuil 2017-04-22 22:45:54 CEST 
does not seems valid on mga5.

Please reopen if i am wrong

CC: (none) => mageia
CVE: (none) => CVE-2016-9587

Comment 4 Nicolas Lécureuil 2017-04-22 22:46:18 CEST 
does not seems valid on mga5.

Please reopen if i am wrong

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED