BTW, Credit for this find should go to Alan Fairless of SpiderOak.com<http://spideroak.com/> - Alan was remarkably helpful in isolating and testing. We have some fans of their cloud backup features.
--Michael On Tue, Apr 1, 2014 at 5:36 PM, Michael DeHaan <[email protected]> wrote: > Today we have released Ansible 1.5.4, which contains a security fix > unrelated to previous updates. This fix increases the security of certain > strings evaluated by Ansible, which could possibly be forced in some > scenarios to be evaluated by an attacker. Previously these strings were > subject to a "safe_eval" function in Ansible, this fix further hardens the > checking of the evaluation function. > > Additionally, we have reduced the precedence of registrered variables and > facts such that inventory variables will have a higher precedence than > facts. This is to trust hosts less in case they might "lie" about module > returns if they were compromised, and then cannot overwrite any variables > being set centrally in the playbook or inventory. This is not as critical > an issue as the above, but we felt hardening this was also the right thing > to do. > > This release is now available through pip, releases.ansible.com, and will > soon be available via distribution mirrors. If you have not yet updated > Ansible to a 1.5.4 version, and are running against untrusted content or > servers, you are recommended to wait and upgrade Ansible on your control > machine before running against those content or servers. > > Ansible practices responsible disclosure. Please submit reports of > security issues to [email protected] > > > Download link: > > http://releases.ansible.com/ansible > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QP7dvE2pEctz26%3DGgWqG_mtHsFv%3Du_63JvtEtFCyk08hw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
