Hi Brian, This is absolutely template related - apologies on this not being clear.
That all being said, we're not really wishing to provide information that allows people to exploit a vulnerability prior to people having time to patch it, so we're not going to publish the example of how to trigger this -- so I hope that info helps. On Wed, Jun 25, 2014 at 5:13 PM, Brian Harring <[email protected]> wrote: > For security releases, can y'all please include a bit more detail on the > vulnerability? I'd assume y'all found an issue in safe_eval (since that's > the only thing that changed), but no description of the input used was > covered- so it's hard to evaluate if the fix was enough. > > I realize it's a fine line, but it's always been a bit hard to make > informed decisions on prioritizing updates when folks are told "there was a > vuln, upgrade". > > Cheers- > ~brian > > > On Wed, Jun 25, 2014 at 3:55 PM, Michael DeHaan <[email protected]> > wrote: > >> Credit for this find goes to Florian Weimer of Red Hat - thank you >> Florian! >> >> As a reminder, Ansible practices responsible disclosure - if you ever >> find a issue or think you have found one, please email us at >> [email protected] and we will reply to you as soon as possible. >> >> >> >> >> On Wed, Jun 25, 2014 at 3:47 PM, Michael DeHaan <[email protected]> >> wrote: >> >>> Hi everyone, >>> >>> Today we have updated Ansible to fix a security problem where >>> specifically constructed untrusted data can cause the Ansible tool to >>> execute unwanted inputs on the control machine. >>> >>> This update is available in PyPi now, as well as on releases.ansible.com >>> in tarball form. >>> >>> All users are encouraged to update. >>> >>> --Michael >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgw53arArumx910mDxF-bA-QNFAnZDi%3Dnf7519ueM6cKBA%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgw53arArumx910mDxF-bA-QNFAnZDi%3Dnf7519ueM6cKBA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAMMrfH6J3rYJ5e7Z%3DXFJmTWp7Qh4GQvaQHexRvHpjMppNWCV0Q%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAMMrfH6J3rYJ5e7Z%3DXFJmTWp7Qh4GQvaQHexRvHpjMppNWCV0Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgydnvhFH%2BbMKQ6xyCcxr7A6rimQYJzpy3Tjz8iQyWFvBg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
