Hello everyone,
As you the least release indicated we updated Ansible to 1.6.4 to include a security fix, as we said, “where specifically constructed untrusted data can cause the Ansible tool to execute unwanted inputs on the control machine”.
As the phrase goes, with enough eyes, all bugs are shallow. As such, our fix was incomplete, though it does require some cleverness to find the gap, and in fact, we identified some errors in some core Python documentation along the way. Thanks to Brian Harring for this find. We’re going to refrain from posting the specifics so folks can update.
We have subsequently updated Ansible to 1.6.5, which further locks down this same problem. Users should update to this version instead of 1.6.4.
Again, if there are any security concerns about any subject, please disclose them privately to security@ansible.com and we’ll respond promptly.
Thank you all!