Today we have released Ansible 1.5.4, which contains a security fix unrelated to previous updates. This fix increases the security of certain strings evaluated by Ansible, which could possibly be forced in some scenarios to be evaluated by an attacker. Previously these strings were subject to a "safe_eval" function in Ansible, this fix further hardens the checking of the evaluation function.
Additionally, we have reduced the precedence of registrered variables and facts such that inventory variables will have a higher precedence than facts. This is to trust hosts less in case they might "lie" about module returns if they were compromised, and then cannot overwrite any variables being set centrally in the playbook or inventory. This is not as critical an issue as the above, but we felt hardening this was also the right thing to do. This release is now available through pip, releases.ansible.com, and will soon be available via distribution mirrors. If you have not yet updated Ansible to a 1.5.4 version, and are running against untrusted content or servers, you are recommended to wait and upgrade Ansible on your control machine before running against those content or servers. Ansible practices responsible disclosure. Please submit reports of security issues to [email protected] Download link: http://releases.ansible.com/ansible -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QPQ%2BD_H4J_pV%2Bhtp4TCNnOHFuFBNPJP2E2wvJjtxMyFqw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
