Bug#851619: new upstream release fixes a bag of CVEs

[Toni Mueller]

Hi,

On Mon, Jan 16, 2017 at 10:43:05PM +0100, Toni Mueller wrote:
> there is a new Ansible release, 2.2.1, which was published on 2017-01-11
> on releases.ansible.com, which fixes a bag of security holes, for which
> CVEs should already exist. Please take a look at

sorry, MY BAD.

The final 2.2.1 version was only released today, the packages released
on the 11th were only release candidates.


Cheers,
--Toni++

Bug#851619: new upstream release fixes a bag of CVEs

[Toni Mueller]

Hi Harlan,

On Mon, Jan 16, 2017 at 05:06:36PM -0500, Harlan Lieberman-Berg wrote:
> Happy to report that these have already been fixed through cherry-picks
> over the last five days or so.  2.2.1 has no security fixes not present
> in 2.2.0.0-4.

oh, great. I almost expected as much, but wanted to make really sure
because of the impact.

> We'll probably merge in 2.2.1 in the next couple of days to get the
> other bugfixes that are in there.

Sounds great. I was reading about some and already considered nagging
you about them.


Cheers,
--Toni++

Bug#851619: new upstream release fixes a bag of CVEs

[Harlan Lieberman-Berg]

package ansible
tag 851619 -security -upstream
severity 851619 wishlist
retitle 851619 New ansible upstream version
thanks

Toni Mueller  writes:
> there is a new Ansible release, 2.2.1, which was published on 2017-01-11
> on releases.ansible.com, which fixes a bag of security holes, for which
> CVEs should already exist. Please take a look at

Hi Toni!

Happy to report that these have already been fixed through cherry-picks
over the last five days or so.  2.2.1 has no security fixes not present
in 2.2.0.0-4.

We'll probably merge in 2.2.1 in the next couple of days to get the
other bugfixes that are in there.

Sincerely,
-- 
Harlan Lieberman-Berg
~hlieberman

Bug#851619: new upstream release fixes a bag of CVEs

[Toni Mueller]

Package: ansible
Version: 2.2.0.0-1
Severity: grave
Tags: security upstream


Hi,

there is a new Ansible release, 2.2.1, which was published on 2017-01-11
on releases.ansible.com, which fixes a bag of security holes, for which
CVEs should already exist. Please take a look at

https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt


Cheers,
--Toni++



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ansible depends on:
ii  python-crypto 2.6.1-7
ii  python-httplib2   0.9.2+dfsg-1
ii  python-jinja2 2.8-1
ii  python-netaddr0.7.18-2
ii  python-paramiko   2.0.0-1
ii  python-pkg-resources  32.0.0-1
ii  python-yaml   3.12-1
pn  python:any

Versions of packages ansible recommends:
ii  python-kerberos   1.1.5-2+b2
ii  python-selinux2.6-3
pn  python-winrm  
ii  python-xmltodict  0.10.2-1

Versions of packages ansible suggests:
pn  cowsay   
ii  sshpass  1.06-1

-- Configuration Files:
/etc/ansible/ansible.cfg changed [not included]
/etc/ansible/hosts changed [not included]

-- no debconf information