| Summary: | <app-admin/ansible-1.9.2: multiple vulnerabilities (CVE-2015-3908) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jlec, pinkbyte |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1243468 | ||
| Whiteboard: | B3 [noglsa/cve] | ||
| Package list: | Runtime testing required: | --- | |
Arches, please test and mark stable =app-admin/ansible-1.9.2 Target keywords: amd64 x86 amd64/x86 stable GLSA vote: no GLSA vote: no. Maintainer(s), please drop the vulnerable version(s). Cleanup is done |
From ${URL} : Ansible versions before 1.9.2 are vulnerable to a symlink attack that enables a malicious zone/chroot/jail managed by ansible to escape into the managing host. Upstream commits that fix this issue: https://github.com/ansible/ansible/commit/548a7288a90c49e9b50ccf197da307eae525b899 https://github.com/ansible/ansible/commit/270be6a6f5852c5563976f060c80eff64decc89c https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647 https://github.com/ansible/ansible/commit/0777d025051bf5cf3092aa79a9e6b67cec7064dd https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b CVE request: http://seclists.org/oss-sec/2015/q3/105 External References: https://github.com/ansible/ansible @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.