Fedora has issued an advisory on April 25: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html The issue is fixed upstream in 1.9.6. It is also fixed in 2.0.2 (already in Cauldron).
Fedora has issued an advisory on April 25: https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html Test procedure : https://bugs.mageia.org/show_bug.cgi?id=16309#c9 Updated packages uploaded for Mageia 5 Advisory: ======================== Updated subversion packages fix security vulnerabilities: A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root (CVE-2016-3096) References: - https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html - http://lwn.net/Vulnerabilities/685137/ - https://github.com/ansible/ansible/blob/stable-1.9/CHANGELOG.md Updated packages in core/updates_testing: ======================== ansible-1.9.6-1.mga5.noarch.rpm from ansible-1.9.6-1.mga5.src.rpm
CC: (none) => makowski.mageiaAssignee: bruno => bugsquadWhiteboard: (none) => has_procedure
Thanks! A few minor advisory fixes. Advisory: ======================== Updated ansible package fixes security vulnerability: A vulnerability in lxc_container, ansible module, was found allowing to get root inside the container. The problem is in the create_script function, which tries to write to /opt/.lxc-attach-script inside of the container. If the attacker can write to /opt/.lxc-attach-script before that, he can overwrite arbitrary files or execute commands as root (CVE-2016-3096). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3096 https://github.com/ansible/ansible/blob/stable-1.9/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html
There doesn't seem to be a real reason why this bug wasn't assigned to QA.... the updated package is waiting in updates_testing since last (CEST) evening ftp://mageia.webconquest.com/distrib/5/i586/media/core/updates_testing/ansible-1.9.6-1.mga5.noarch.rpm and this bug contains an Advisory. Assigning to QA
CC: (none) => marja11Assignee: bugsquad => qa-bugs
MGA-32 on AcerD620 Xfce No installation issues. Followed procedure as indicated in Comment 1 and got at the CLI: $ ansible -i tmp/hosts all -m ping xxx.xxx.xxx.xxx | success >> { "changed": false, "ping": "pong" }
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0163.html
Status: NEW => RESOLVEDResolution: (none) => FIXED