Hi all, we're aware of some issues regarding shell quoting in this security fix. We are working on a patch to correct this and will be releasing an update soon.
Thanks! On Mon, Jul 21, 2014 at 11:53 AM, James Cammarata <[email protected]> wrote: > Hi everyone, > > Today we are updating Ansible to 1.6.7 to upgrade security based on > untrusted or hidden inputs. > > As you remember, we previously made some previous updates based on some > security findings from two individuals, in this case, a variation from one > of these same folks was shared later by ocert.org via Brian Ferring, and > we want to close this off as well. > > Two CVEs are mentioned below. > > * Strip lookup calls out of inventory variables and clean unsafe data > returned from lookup plugins (CVE-2014-4966) > * Make sure vars don't insert extra parameters into module args and > prevent > duplicate params from superseding previous params (CVE-2014-4967) > > One exploit involves hiding Jinja2 on the local file system, so you would > need to be able to check in code in a playbook repo or on the local disk in > a location Ansible would be reading with something like "with_fileglob", > and this would be able to hide commands in ways that were not readily > apparent. This is not a remotely leverageable exploit. > > The other exploit involves untrusted data in a form where additional > arguments are added to commands when things like facts are used in command > inputs, or how they can be used to override commands. This can happen > when a remote node is compromised and the value of a fact from that node is > passed to a module. In most situations, this would only involve the remote > node getting different instructions, but in other situations, if using > local_action, could result in some things being executed locally (or in the > case of delegate_to, on a different node), which is of greater consequence. > Use of this would require some knowledge of the playbook configuring the > system. > > Users should update to 1.6.7 which is now available on > releases.ansible.com as well as PyPi, and distributions should be > updating shortly. > > We greatly appreciate all of the security review recently and having > Ansible to be as rock solid as possible is a major priority, well in line > with our focus on agent-less management and push-based infrastructure, and > sharing as little information with remote nodes as possible, eliminating > fileservers, and things like that. > > As we have mentioned before, we take security reports exceptionally > seriously and practice responsible disclosure. If you ever have something > to report, email us at [email protected] and we'll respond promptly. > > Thanks! > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFhzAZ5Dgac_%3Des_Tu0LcwShzuMW9JccAp6BgUB1Y9%2B7yw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
