Debian Bug report logs -
#862666
ansible: CVE-2017-7481: Security issue with lookup return not tainting the jinja2 environment
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 15 May 2017 14:30:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version ansible/2.2.1.0-2
Fixed in version ansible/2.3.1.0+dfsg-1
Done: Harlan Lieberman-Berg <hlieberman@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#862666; Package src:ansible.
(Mon, 15 May 2017 14:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>.
(Mon, 15 May 2017 14:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ansible
Version: 2.2.1.0-2
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for ansible.
CVE-2017-7481[0]:
Security issue with lookup return not tainting the jinja2 environment
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1450018
[2] https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#862666; Package src:ansible.
(Sun, 04 Jun 2017 10:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>.
(Sun, 04 Jun 2017 10:18:03 GMT) (full text, mbox, link).
Message #10 received at 862666@bugs.debian.org (full text, mbox, reply):
On Mon, May 15, 2017 at 04:28:24PM +0200, Salvatore Bonaccorso wrote:
> Source: ansible
> Version: 2.2.1.0-2
> Severity: important
> Tags: patch security upstream
>
> Hi,
>
> the following vulnerability was published for ansible.
>
> CVE-2017-7481[0]:
> Security issue with lookup return not tainting the jinja2 environment
What's the status? Can we get that fixed for stretch?
Cheers,
Moritz
Reply sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility.
(Mon, 07 Aug 2017 22:24:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 07 Aug 2017 22:24:10 GMT) (full text, mbox, link).
Message #15 received at 862666-close@bugs.debian.org (full text, mbox, reply):
Source: ansible
Source-Version: 2.3.1.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
ansible, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862666@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated ansible package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 07 Aug 2017 17:26:53 -0400
Source: ansible
Binary: ansible
Architecture: source
Version: 2.3.1.0+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Harlan Lieberman-Berg <hlieberman@debian.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Closes: 845613 851619 859999 862666 863949 868553 869751
Description:
ansible - Configuration management, deployment, and task execution system
Changes:
ansible (2.3.1.0+dfsg-1) unstable; urgency=high
.
[ Lee Garrett ]
* The "Harlan is late for DebCamp" release.
* New upstream release (Closes: #845613, 851619, #868553)
- fixed CVE-2017-7481 (Closes: #862666)
* Add python-libcloud to recommends (Closes: #869751)
* Add python-jmespath to recommends (Closes: #859999)
* Bump Standards-Version to 4.0.0 (no changes needed)
* Add python-cryptography to recommends to speed up vault operations.
* Drop 0001-add-console-manpage.patch and 0002-fix-cve-2017-7466.patch,
both applied upstream.
.
[ Harlan Lieberman-Berg ]
* Pin python-jinja2 against incompatible new releases.
* Import patch fixing htpasswd module. (Closes: #863949)
Checksums-Sha1:
311aa0d1ffccf91be595d730e3c8c77614875ff3 2238 ansible_2.3.1.0+dfsg-1.dsc
60dfe9360b0879ceb1dad2596168da3b0d895c30 3771720 ansible_2.3.1.0+dfsg.orig.tar.gz
33e3d39c65b542a3f929e410956d933af3276abd 16660 ansible_2.3.1.0+dfsg-1.debian.tar.xz
Checksums-Sha256:
957675e1a4999148253c7d2df950f1b6b9181e91928c0577a28124f43909ce41 2238 ansible_2.3.1.0+dfsg-1.dsc
98c15858559701989ac73bb9807acf58845c7e86b86bc2165030b6a50ea4342a 3771720 ansible_2.3.1.0+dfsg.orig.tar.gz
f5da46b98ab5efe81444ab8f6b17bd12dd1f87d035f8db13ef72b4607d28323d 16660 ansible_2.3.1.0+dfsg-1.debian.tar.xz
Files:
c91df58d68593cb82b83b5266a946de7 2238 admin optional ansible_2.3.1.0+dfsg-1.dsc
2f1f6d1e1b77bf4239d80e4b8302263d 3771720 admin optional ansible_2.3.1.0+dfsg.orig.tar.gz
f6510cf0406a29f9deac60f515f57168 16660 admin optional ansible_2.3.1.0+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEEhiNlIJf/8kpE2Nai6afXk4v2O6UFAlmI4h5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg2
MjM2NTIwOTdGRkYyNEE0NEQ4RDZBMkU5QTdENzkzOEJGNjNCQTUWHGhsaWViZXJt
YW5AZGViaWFuLm9yZwAKCRDpp9eTi/Y7pbNUD/4uzTkckpmHVnG6XOHuPfo2Hw1o
8lwKC178HfX3pOkuD6lOBgL8R+eax5Nx7SZ5zyMBM1mm0AfbY8V+9foiVbY2tfRF
Ckg6otNNA0TprEdU1y4KGJNZ6jBvH6TTm4ET7eRpisPDWo1cFvP6CBcSYWYmf96Y
H5rexY/73fLTu9FZL5/PGD0oeo7LptvQFbs4ZonshcidbqS482rt4h9da962Ubbh
kyIioLQFD7tDP+Op1UhwFLeWbRxOt4sU3h5PGnG1S3cULqtWuIuaXkmJy5UBQsjj
ff/cEmfhj8yli94h4KWkHqvjSZG10wnjaeq5JDwrW8LwqAvRz58iCpHc9YsIm6d9
MN6OfKRDCN/IzGVJY6pr2YSgN2h56hqGsHa+rxKBB4UV0qnIvPnJGXn93lWBJSA6
+rMcegLV0Q37+/22vNUfJSzmo3Rhxs4pufV2tRQ7y01sFlymXCi1tjJmr560lfHF
2V9owJF7yysZGAwhBvOvSO+rQFCSdYmQrblC2OIhspUJbM7oa8IyF5Jz9XzVwidK
lGBVCGEcD/H9T/B2vNpUIJg8orELqQYdUF4hEOkPIbJYcu4N6Zqz06xayGqkd8OD
dYf5OXj++sRVQiJd95Q2i8L90PNbAuC8gCZJjHvQkc4Ik+W7+nDKCo15pKBCFjye
l9Q/NSKlBfWPL5Dbtw==
=aUJ3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Nov 2017 07:27:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:15:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon