Summary: | <app-admin/ansible-1.6.8: input sanitization errors - possible arbitrary code execution (CVE-2014-{4966,4967}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic, jlec, pinkbyte |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q3/208 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 517870 | ||
Bug Blocks: | 516564 |
Description
Kristian Fiskerstrand (RETIRED)
2014-07-22 10:21:04 UTC
Tested 1.6.7, works okey on amd64 (same ebuild as 1.6.1). +*ansible-1.6.7 (23 Jul 2014) + + 23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.1.ebuild, + +ansible-1.6.7.ebuild, +files/README.gentoo: + Version Bump + @arches, Please stable, testsuite is fine. ansible 1.6.8 is released, fixing a regression with "shell quoting introduced in the 1.6.7 security release. The same fix was merged into devel earlier in the day, so users experiencing issues with the command/shell modules should upgrade to resolve the issue." (https://groups.google.com/forum/#!topic/ansible-announce/NqGgSCEhJq0 ) As I'm not using ansible I don't know how common this configuration is, but Caveat Emptor +*ansible-1.6.8 (23 Jul 2014) + + 23 Jul 2014; Justin Lecher <jlec@gentoo.org> -ansible-1.6.7.ebuild, + +ansible-1.6.8.ebuild: + Version BUmp + @arch teams, target is version 1.6.8. We had this in our playbook: shell: find {{dir}} -type d -not -perm 2775 -exec chmod 2775 {} \; This stopped working in 1.6.7 because of that bug, we tested on 1.6.8, it works like before. Thanks for the bump. Arches, please test and mark stable: =app-admin/ansible-1.6.8 Target Keywords : "amd6 x86" Thank you! amd64/x86 stable. Old vulnerable version has been dropped GLSA request filed Thanks, guys This issue was resolved and addressed in GLSA 201411-09 at http://security.gentoo.org/glsa/glsa-201411-09.xml by GLSA coordinator Sean Amoss (ackle). |