Hi all,
We’ve cut a release of Ansible entitled 1.5.5 containing two minor security updates.
These are as follows:
(1) As previously mentioned in https://groups.google.com/forum/#!topic/ansible-announce/j1qfi5gAX3o, the apt_repository module now will now better writes filenames if a password happened to be in an apt repository user-submitted URL, and also creates files with better permissions (non-world readable), in case that data may have a password in it. As mentioned in the above ticket the original use of the module didn’t anticipate password protected apt repos, but should have.
(2) As not previously mentioned, there is also an update to the way tempfiles are handled when using ansible-vault. Previously the temp files created in /tmp were not being created with an appropriate umask, such that if multiple users were logged in to the same system, it would be possible for someone to read the data of a file while it was being edited (but only when they were being edited, as these files are removed when the editor session expires). This has no bearing of non-multiuser systems, but is otherwise important. If you have multiple users on your system where you run ansible, and you use vault, you should update. Thank you to Stephen Dosset for this report.
As a reminder, Ansible practices responsible disclosure, so if you would like to submit a security vulnerability, you may email us at security@ansible.com – all emails will receive a prompt response.
This 1.5.5 update is now available on releases.ansible.com as well as PyPi. As this is a security related update, as is our standard, no other fixes are included.
The development branch also now contains these fixes, so if using the devel branch you can issue a “git update” to get them.
(On an unrelated note, I’ve had a few questions about when 1.6 is due - we’re currently shooting for this to come out at the end of the month. This will include ~35 new modules plus lots of new parameters for existing modules, in addition to numerous fixes/improvements)
Thanks!
–Michael