Today we have released Ansible 1.5.4, which contains a security fix unrelated to previous updates. This fix increases the security of certain strings evaluated by Ansible, which could possibly be forced in some scenarios to be evaluated by an attacker. Previously these strings were subject to a “safe_eval” function in Ansible, this fix further hardens the checking of the evaluation function.
Additionally, we have reduced the precedence of registrered variables and facts such that inventory variables will have a higher precedence than facts. This is to trust hosts less in case they might “lie” about module returns if they were compromised, and then cannot overwrite any variables being set centrally in the playbook or inventory. This is not as critical an issue as the above, but we felt hardening this was also the right thing to do.
This release is now available through pip, releases.ansible.com, and will soon be available via distribution mirrors. If you have not yet updated Ansible to a 1.5.4 version, and are running against untrusted content or servers, you are recommended to wait and upgrade Ansible on your control machine before running against those content or servers.
Ansible practices responsible disclosure. Please submit reports of security issues to security@ansible.com
Download link: