The Ansible project is currently posting release candidates for the 2.1.4 and 2.2.1 releases. They fix an important security bug: "CVE-2016-9587 is rated as HIGH in risk, as a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)." Until this release is made, it would make sense to be especially careful about running Ansible against systems that might have been compromised. Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch. I don't know yet if mga5 is also affected
URL: (none) => https://lwn.net/Articles/711357/Assignee: bugsquad => brunoQA Contact: (none) => security
Upstream commit to fix this : https://github.com/ansible/ansible/commit/ec84ff6de6eca9224bf3f22b752bb8da806611ed (v2.2.1.0-0.3.rc3) https://github.com/ansible/ansible/commit/eb8c26c105e8457b86324b64a13fac37d8862d47 (v2.2.1.0-0.4.rc4) https://github.com/ansible/ansible/commit/cc4634a5e73c06c6b4581f11171289ca9228391e (v2.2.1.0-0.4.rc4) cf Debian https://security-tracker.debian.org/tracker/CVE-2016-9587
Component: RPM Packages => Security
I updated cauldron with ansible 2.2.1.0 Let me know wht you think for mga5: should I backport it there (for me it's working, but it may create compatibility issues wrt 1.9.6 we have now)
Status: NEW => ASSIGNED
does not seems valid on mga5. Please reopen if i am wrong
CC: (none) => mageiaCVE: (none) => CVE-2016-9587
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED