Hi everyone,

Today we are updating Ansible to 1.6.7 to upgrade security based on
untrusted or hidden inputs.

As you remember, we previously made some previous updates based on some
security findings from two individuals, in this case, a variation from one
of these same folks was shared later by ocert.org via Brian Ferring, and we
want to close this off as well.

Two CVEs are mentioned below.

     * Strip lookup calls out of inventory variables and clean unsafe data
       returned from lookup plugins (CVE-2014-4966)
     * Make sure vars don't insert extra parameters into module args and
prevent
       duplicate params from superseding previous params (CVE-2014-4967)

One exploit involves hiding Jinja2 on the local file system, so you would
need to be able to check in code in a playbook repo or on the local disk in
a location Ansible would be reading with something like "with_fileglob",
and this would be able to hide commands in ways that were not readily
apparent.   This is not a remotely leverageable exploit.

The other exploit involves untrusted data in a form where additional
arguments are added to commands when things like facts are used in command
inputs, or how they can be used to override commands.   This can happen
when a remote node is compromised and the value of a fact from that node is
passed to a module.  In most situations, this would only involve the remote
node getting different instructions, but in other situations, if using
local_action, could result in some things being executed locally (or in the
case of delegate_to, on a different node), which is of greater consequence.
  Use of this would require some knowledge of the playbook configuring the
system.

Users should update to 1.6.7 which is now available on releases.ansible.com as
well as PyPi, and distributions should be updating shortly.

We greatly appreciate all of the security review recently and having
Ansible to be as rock solid as possible is a major priority, well in line
with our focus on agent-less management and push-based infrastructure, and
sharing as little information with remote nodes as possible, eliminating
fileservers, and things like that.

As we have mentioned before, we take security reports exceptionally
seriously and practice responsible disclosure.  If you ever have something
to report, email us at secur...@ansible.com and we'll respond promptly.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAMFyvFgUZYdJv8Qog78kigEG27aXUoqxMMcF8amZS83gkM0TRw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to