Hi all,
We’ve just released the following release candidates to address a few more corner cases found after the release of the previous RCs for CVE-2016-9587:
2.1.4 RC2
2.2.1 RC4
Thanks again to Computest for double-checking our fixes and pointing out a couple of places we had missed.
We are still looking to get the final releases out by the end of the week, so please be sure to test these RC’s for any breaks in your playbooks.
Thanks!
Thanks James and Ansible team.
I presume that this affects Ansible 2.0 and 1.9, but the CVE text is a little ambiguous: (Affected versions: < 2.1.4, < 2.2.1).
Can you or someone from Ansible confirm? If 1.9 is affected, will the fix will be back-ported?
Thank you,
Robb
According to the Gentoo bug (https://bugs.gentoo.org/show_bug.cgi?id=605342#c4) 1.9.4 is affected.
Hi Robb,
These issues DO affect 2.0 and 1.9. Unfortunately we won’t be backporting fixes to those versions. Users will have to upgrade to one of the newer versions (2.1.x or 2.2.x). I apologize for this. 1.9.x in particular would have meant changing huge amounts of code to the point of really re-writing important parts of Ansible Core.
Jason McKerr
Director, Ansible Core Engineering
Ansible by Red Hat.
Just to be clear this affects both ansible-pull and ansible-push right? When the RC’s are ready will it be posted in Announcements and be available via pypi?
once ready we will push to all the normal channels we control (including pypi), until then you can try out the RC at http://releases.ansible.com/ansible/ansible-2.2.1.0-0.4.rc4.tar.gz
Ansible-pull would be affected, but since this requires the remote
system to be compromised first, exploiting ansible-pull would change
anything since it is running on the same system.