For security releases, can y'all please include a bit more detail on the vulnerability? I'd assume y'all found an issue in safe_eval (since that's the only thing that changed), but no description of the input used was covered- so it's hard to evaluate if the fix was enough.
I realize it's a fine line, but it's always been a bit hard to make informed decisions on prioritizing updates when folks are told "there was a vuln, upgrade". Cheers- ~brian On Wed, Jun 25, 2014 at 3:55 PM, Michael DeHaan <[email protected]> wrote: > Credit for this find goes to Florian Weimer of Red Hat - thank you Florian! > > As a reminder, Ansible practices responsible disclosure - if you ever find > a issue or think you have found one, please email us at > [email protected] and we will reply to you as soon as possible. > > > > > On Wed, Jun 25, 2014 at 3:47 PM, Michael DeHaan <[email protected]> > wrote: > >> Hi everyone, >> >> Today we have updated Ansible to fix a security problem where >> specifically constructed untrusted data can cause the Ansible tool to >> execute unwanted inputs on the control machine. >> >> This update is available in PyPi now, as well as on releases.ansible.com >> in tarball form. >> >> All users are encouraged to update. >> >> --Michael >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgw53arArumx910mDxF-bA-QNFAnZDi%3Dnf7519ueM6cKBA%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgw53arArumx910mDxF-bA-QNFAnZDi%3Dnf7519ueM6cKBA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMMrfH6J3rYJ5e7Z%3DXFJmTWp7Qh4GQvaQHexRvHpjMppNWCV0Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
