Hello everyone, As you the least release indicated we updated Ansible to 1.6.4 to include a security fix, as we said, "where specifically constructed untrusted data can cause the Ansible tool to execute unwanted inputs on the control machine".
As the phrase goes, with enough eyes, all bugs are shallow. As such, our fix was incomplete, though it does require some cleverness to find the gap, and in fact, we identified some errors in some core Python documentation along the way. Thanks to Brian Harring for this find. We're going to refrain from posting the specifics so folks can update. We have subsequently updated Ansible to 1.6.5, which further locks down this same problem. Users should update to this version instead of 1.6.4. Again, if there are any security concerns about any subject, please disclose them privately to [email protected] and we'll respond promptly. Thank you all! -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzRLr2wgLQoGJbEggf0ZpCgiHK7Q6NkuT1QrqUzGcQEqQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
