Hi everyone,
Today we have updated Ansible to fix a security problem where specifically constructed untrusted data can cause the Ansible tool to execute unwanted inputs on the control machine.
This update is available in PyPi now, as well as on releases.ansible.com in tarball form.
All users are encouraged to update.
–Michael
Credit for this find goes to Florian Weimer of Red Hat - thank you Florian!
As a reminder, Ansible practices responsible disclosure - if you ever find a issue or think you have found one, please email us at security@ansible.com and we will reply to you as soon as possible.
For security releases, can y’all please include a bit more detail on the vulnerability? I’d assume y’all found an issue in safe_eval (since that’s the only thing that changed), but no description of the input used was covered- so it’s hard to evaluate if the fix was enough.
I realize it’s a fine line, but it’s always been a bit hard to make informed decisions on prioritizing updates when folks are told “there was a vuln, upgrade”.
Cheers-
~brian
Hi Brian,
This is absolutely template related - apologies on this not being clear.
That all being said, we’re not really wishing to provide information that allows people to exploit a vulnerability prior to people having time to patch it, so we’re not going to publish the example of how to trigger this – so I hope that info helps.