Hi all, we're aware of some issues regarding shell quoting in this security fix. We are working on a patch to correct this and will be releasing an update soon.
Thanks! On Mon, Jul 21, 2014 at 11:53 AM, James Cammarata <jcammar...@ansible.com> wrote: > Hi everyone, > > Today we are updating Ansible to 1.6.7 to upgrade security based on > untrusted or hidden inputs. > > As you remember, we previously made some previous updates based on some > security findings from two individuals, in this case, a variation from one > of these same folks was shared later by ocert.org via Brian Ferring, and > we want to close this off as well. > > Two CVEs are mentioned below. > > * Strip lookup calls out of inventory variables and clean unsafe data > returned from lookup plugins (CVE-2014-4966) > * Make sure vars don't insert extra parameters into module args and > prevent > duplicate params from superseding previous params (CVE-2014-4967) > > One exploit involves hiding Jinja2 on the local file system, so you would > need to be able to check in code in a playbook repo or on the local disk in > a location Ansible would be reading with something like "with_fileglob", > and this would be able to hide commands in ways that were not readily > apparent. This is not a remotely leverageable exploit. > > The other exploit involves untrusted data in a form where additional > arguments are added to commands when things like facts are used in command > inputs, or how they can be used to override commands. This can happen > when a remote node is compromised and the value of a fact from that node is > passed to a module. In most situations, this would only involve the remote > node getting different instructions, but in other situations, if using > local_action, could result in some things being executed locally (or in the > case of delegate_to, on a different node), which is of greater consequence. > Use of this would require some knowledge of the playbook configuring the > system. > > Users should update to 1.6.7 which is now available on > releases.ansible.com as well as PyPi, and distributions should be > updating shortly. > > We greatly appreciate all of the security review recently and having > Ansible to be as rock solid as possible is a major priority, well in line > with our focus on agent-less management and push-based infrastructure, and > sharing as little information with remote nodes as possible, eliminating > fileservers, and things like that. > > As we have mentioned before, we take security reports exceptionally > seriously and practice responsible disclosure. If you ever have something > to report, email us at secur...@ansible.com and we'll respond promptly. > > Thanks! > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFhzAZ5Dgac_%3Des_Tu0LcwShzuMW9JccAp6BgUB1Y9%2B7yw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
