Upstream's changelog from April 18 shows security issues fixed in 1.5.4 and 1.5.5: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md Fedora has issued an advisory on April 20: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132215.html There aren't any details, so it's not entirely clear if 1.4.x is affected, but if so, Mageia 4 would also be affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
I have uploaded into cooker ansible 1.5.5
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
just in case, seems that it is this patch for "Security fix for safe_eval" : https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c and for Security fix for vault : https://github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69 and for apt : https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
CC: (none) => makowski.mageia
Thanks Philippe, that was helpful. The vault code is not present in 1.4.3, so that's not relevant here. The other two parts are present. The safe_eval patch applies cleanly, and the apt_repository patch applies with minimal modifications. I don't know if we actually need the apt_repository patch since we don't use apt, but I'm not sure exactly how this software is used. I've added both patches. Advisory: ======================== Ansible has been patched with minor security fixes to safe_eval and apt_repository that were fixed upstream in version 1.5.5. References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132215.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.4.3-1.1.mga4 from ansible-1.4.3-1.1.mga4.src.rpm
CC: (none) => brunoAssignee: bruno => qa-bugs
tested ok under Mga4 64 (generic test only) only a simple test with a distant box where you have ssh access and your ssh-key setup in : create a file, for example /tmp/hosts with the ip address if the distant box: $ cat /tmp/hosts 192.168.0.51 $ ansible -i /tmp/hosts all -m ping 192.168.0.51 | success >> { "changed": false, "ping": "pong" } $
Whiteboard: (none) => has_procedure MGA4-64-OK
Testing complete mga4 32 Thanks for the procedure Philippe
Whiteboard: has_procedure MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0269.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
FYI, Michael Scherer requested CVEs for this: http://openwall.com/lists/oss-security/2014/06/23/10
The safe_eval issue was assigned CVE-2014-4657. The apt_repository issues were assigned CVE-2014-4659 and CVE-2014-4660. CVE-2014-4658 was assigned for the vault issue only in 1.5.x. Details are here: http://openwall.com/lists/oss-security/2014/06/26/19 Updated advisory below. Advisory: ======================== Ansible has been patched with minor security fixes to safe_eval (CVE-2014-4657) and apt_repository (CVE-2014-4659, CVE-2014-4660) that were fixed upstream in version 1.5.5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4660 https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132215.html
Summary: ansible new security issues fixed upstream in 1.5.5 => ansible new security issues fixed upstream in 1.5.5 (CVE-2014-465[789], CVE-2014-4660)