From ${URL} : http://www.ansibleworks.com/ Problem: Default configuration does not cache SSH host keys, effectively disabling host key checking Note - do not credit me for finding this, I'm just the only person indignant enough to request a CVE A colleague found this bug, only to notice that it was logged by somebody else (antong on github), and rejected: https://github.com/ansible/ansible/issues/857 This can be fixed by calling ssh.load_system_host_keys() after line 78 of https://github.com/ansible/ansible/blob/496f06c3c90cfd89802622c640480328436746c6/lib/ansible/runner/connection_plugins/paramiko_ssh.py While it is possible to call the SSH command instead of using paramiko, this isn't the default and the ramifications of not checking host keys aren't advertised to users. A more reasonable approach would be to document how to un-cache a host key should it change. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Upstream report [1] says that a 1.2.1 release fixing this is expected to be released tomorrow. [1] https://groups.google.com/forum/#!msg/ansible-project/OuHJwG0LLTY/qp95qAq-PNUJ
*** Bug 476872 has been marked as a duplicate of this bug. ***
+ 16 Jul 2013; Sergey Popov <pinkbyte@gentoo.org> +ansible-1.2.1.ebuild, + ansible-9999.ebuild: + Version bump, wrt bug #475602. Remove examples USE-flag due to upstream + changes. Sync live ebuild Arches, please test and mark stable =app-admin/ansible-1.2.1 Target keywords: amd64 x86
amd64 stable
x86 stable
All done stabling. GLSA?
GLSA vote: no
GLSA vote: no. Closing noglsa.
Oops, wait a second. @maintainers: please remove affected ebuilds.
+ 24 Aug 2013; Sergey Popov <pinkbyte@gentoo.org> -ansible-1.0.ebuild, + -ansible-1.1.ebuild: + Drop vulnerable versions, wrt bug #475602
