We are releasing Ansible version v1.2.3 to address two CVEs that have been reported regarding the core Ansible package. Both of these involve potential local exploits on systems where access to the Ansible control machine is being shared between multiple users. These require updating Ansible on control machines and do not require any changes on managed (controlled) machines.
The first could allow a malicious local user to place a symlink at a predictable location to make Ansible connect to a different remote system than expected when using ControlPersist. If that target system were itself compromised, and you are not verifying SSH host keys and are also using SSH passwords (rather than keys) for authentication, this exploit could result in obtaining a user’s password information. It could also result in the target system receiving sensitive configuration data it was not supposed to receive. This does not affect kernels that have fs.protected_symlinks=1/fs.protected_hardlinks=1 set in sysctl, or on systems that are using SELinux with strict/MLS policies. Enterprise Linux 5/6 do not support these sysctl options, however the default on these platforms is actually paramiko (because ControlPersist is not yet available on them), so this would only be a problem if the “ssh” connection is explicitly selected on the command line with “-c ssh” or configured in the configuration file (or environment). Fedora 19, for instance, has these protections on by default and Ubuntu has been shipping these protections on for some time as well.
The second allows using a predictable location of the retry file from a failed playbook in /var/tmp to clobber a file on the local filesystem using a link.
Both of these CVEs affect all Ansible versions prior to 1.2.3, so users of these versions are recommended to immediately upgrade to 1.2.3 or, if running the development branch out of a git checkout, to rebase (or checkout anew) from GitHub to get the latest commits. New packages should be available soon from the package maintainers, as well as via PyPi.
The CVEs are as follows:
CVE-2013-4259: Ansible uses a socket with predictable filename in /tmp
CVE-2013-4260: Predictable filename used for failed results in world writable directory
Please let us know if you have any questions regarding this release.
Thanks!