Debian Bug report logs -
#850846
ansible: CVE-2016-9587: host to controller command execution vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 10 Jan 2017 18:00:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions ansible/2.2.0.0-2, ansible/2.2.0.0-1
Fixed in version ansible/2.2.0.0-3
Done: Harlan Lieberman-Berg <hlieberman@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#850846; Package src:ansible.
(Tue, 10 Jan 2017 18:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>.
(Tue, 10 Jan 2017 18:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ansible
Version: 2.2.0.0-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi,
the following vulnerability was published for ansible.
CVE-2016-9587[0]:
|Compromised remote hosts can lead to running commands on the Ansible
|controller
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9587
[1] https://bugzilla.novell.com/show_bug.cgi?id=1019021
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1404378
[3] https://github.com/ansible/ansible/commit/ec84ff6de6eca9224bf3f22b752bb8da806611ed
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility.
(Wed, 11 Jan 2017 01:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Jan 2017 01:51:06 GMT) (full text, mbox, link).
Message #10 received at 850846-close@bugs.debian.org (full text, mbox, reply):
Source: ansible
Source-Version: 2.2.0.0-2
We believe that the bug you reported is fixed in the latest version of
ansible, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated ansible package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Jan 2017 20:14:07 -0500
Source: ansible
Binary: ansible
Architecture: source
Version: 2.2.0.0-2
Distribution: unstable
Urgency: high
Maintainer: Harlan Lieberman-Berg <hlieberman@debian.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Closes: 850846
Description:
ansible - Configuration management, deployment, and task execution system
Changes:
ansible (2.2.0.0-2) unstable; urgency=high
.
* Cherry-pick patch to fix CVE-2016-9587 (Closes: #850846)
Checksums-Sha1:
89cd25d8eb7ae94fb74052038f479c3b27c33459 2167 ansible_2.2.0.0-2.dsc
34f09dbbfa35c0136645533ac99082ec4c8d4ace 24084 ansible_2.2.0.0-2.debian.tar.xz
Checksums-Sha256:
817403630d8acccab0b15c49f192fa9e63e6f83de4e9fd5793167004903d3126 2167 ansible_2.2.0.0-2.dsc
2d2f0da195a8404e975b191f83de306af5ba936485dff9cdb8a4cb24752741b2 24084 ansible_2.2.0.0-2.debian.tar.xz
Files:
285b9c7ad20f6ce76db223d3fa41480e 2167 admin optional ansible_2.2.0.0-2.dsc
fdf9ef32bf051a7a2afa93de0f34f618 24084 admin optional ansible_2.2.0.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEEC4/gdC1SedxlUOKJhUCe5LmfiWEFAlh4iclfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBC
OEZFMDc0MkQ1Mjc5REM2NTUwRTI4OTg1NDA5RUU0Qjk5Rjg5NjEWHGhsaWViZXJt
YW5AZGViaWFuLm9yZwAKCRCFQJ7kuZ+JYaHNEACa20vKoDSuMSS3u0f5nJf+upsf
2HRtDkQ3xJcJnfeb0v+CFfDPy7qkZWYBczYHDJLClckXMDprn3NPgyROxyxsPENE
8RBqnZ+/k9k679N1ltsbb9z/Lu+63KtQQv+GWOqa1rH3mzMcSlHBkz+1DaViA3Ls
JA5JDN/uR598tqnj4oJ6zNAfClth0kMBVfPifevZMCEtY7YvkJHnEzB+SUR97zLM
ErSSewsvjPcDDtRm0r0GovsP3zmTF7hnkjnsiYVy/f96a5uSH7yMf1FjT09Jj7PU
3RE9AQGRPrFmYzRQrFCUWmj2kHnmEcsYM4/zHT5si5wiVQiU3FrT5N+zVwtfJV41
LsXwK3YgP1aPS1YV9fkl+Udvx5EVyyR+S/ayOR70dYUwqMzJcio4e9Qiedl5nxIG
//U2OYksFlbn9WdgTm1g74ARR4WrCCYcGm0n6tE3ePbsxRHN7NGbn+cL/RY07X8g
EFNB0fjjoVkPgWeVGRLKDt0/DZ7+4x4vX7bXYJ3AvF4UJ6cccC0DiamiJ62EZqTN
Q2NmTElu5uIEOFozSvMLELPCQ/gjUKv3yxJ+MdsQY6VTN4TrXyLmZj/TZfLV3moO
eN+k8S5Fz9g/yKGTximEvQa3+XGTgrLDy1Ad7XXf8MJtAc+Swp8uQPJgu42+M8BP
mvcvOH7p0lecPkNiow==
=v0yx
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Harlan Lieberman-Berg <hlieberman@debian.org>:
Bug#850846; Package src:ansible.
(Thu, 12 Jan 2017 07:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Harlan Lieberman-Berg <hlieberman@setec.io>:
Extra info received and forwarded to list. Copy sent to Harlan Lieberman-Berg <hlieberman@debian.org>.
(Thu, 12 Jan 2017 07:09:02 GMT) (full text, mbox, link).
Message #15 received at 850846@bugs.debian.org (full text, mbox, reply):
found 850846 2.2.0.0-2
reopen 850846
thanks
Ansible had to release 2.2.1.0-0.4-rc4 with more security fixes. Seems
the patch from earlier missed a couple of corner cases. I'll
need to update, but also shouldn't be doing a release at 0200. Will get
to it ASAP tomorrow.
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
Marked as found in versions ansible/2.2.0.0-2; no longer marked as fixed in versions ansible/2.2.0.0-2 and reopened.
Request was from Harlan Lieberman-Berg <hlieberman@setec.io>
to control@bugs.debian.org.
(Thu, 12 Jan 2017 07:09:04 GMT) (full text, mbox, link).
Reply sent
to Harlan Lieberman-Berg <hlieberman@debian.org>:
You have taken responsibility.
(Sat, 14 Jan 2017 03:06:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 14 Jan 2017 03:06:04 GMT) (full text, mbox, link).
Message #22 received at 850846-close@bugs.debian.org (full text, mbox, reply):
Source: ansible
Source-Version: 2.2.0.0-3
We believe that the bug you reported is fixed in the latest version of
ansible, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Harlan Lieberman-Berg <hlieberman@debian.org> (supplier of updated ansible package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Jan 2017 21:17:56 -0500
Source: ansible
Binary: ansible
Architecture: source
Version: 2.2.0.0-3
Distribution: unstable
Urgency: high
Maintainer: Harlan Lieberman-Berg <hlieberman@debian.org>
Changed-By: Harlan Lieberman-Berg <hlieberman@debian.org>
Closes: 850846
Description:
ansible - Configuration management, deployment, and task execution system
Changes:
ansible (2.2.0.0-3) unstable; urgency=high
.
* Apply additional fixes for CVE-2016-9587 (Closes: #850846)
Checksums-Sha1:
64492c9eda0ab22ece7bf58fca21cb9217375eb3 2167 ansible_2.2.0.0-3.dsc
bc2ff2e3314fd6aeba769f6b3219c715d7133963 25472 ansible_2.2.0.0-3.debian.tar.xz
Checksums-Sha256:
a704449696d7a04460740d559ec5c1b55e870ba1fdd0f663e3f378dcded065ac 2167 ansible_2.2.0.0-3.dsc
0bbe9f0100a87d0136825050ca7df544ff4ca7c074f23f4849311563f81adb8b 25472 ansible_2.2.0.0-3.debian.tar.xz
Files:
cbb0c7cde7c7b3e27e567e8f1cdac920 2167 admin optional ansible_2.2.0.0-3.dsc
d6de1cefa384eff7b2a18901c330ca4a 25472 admin optional ansible_2.2.0.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEEC4/gdC1SedxlUOKJhUCe5LmfiWEFAlh5kcdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBC
OEZFMDc0MkQ1Mjc5REM2NTUwRTI4OTg1NDA5RUU0Qjk5Rjg5NjEWHGhsaWViZXJt
YW5AZGViaWFuLm9yZwAKCRCFQJ7kuZ+JYejdD/9q17tY4MkjqPlL9WMN1To7D5dm
hBoDSx6T7pQ2ullrtd7jYbmvJ3fepkHS8mJrKfnRu/2cftl7EuytVNANTQ84340x
A2Kx/d1mN1a8ztdWijmScBYP4rznqkaGJ+fUaTn7aA43k8HWj32txDUb01t3ex80
EOxzP53fn9khbsAS/j//JcC9NGxNO6smX0FLb+3IqEkt2Fz1ZP1POzgv28ym3iww
yzGKru5S4yD5crfWKE+8RK08mDZYV7a9GT65zOVY5HyUtBVAhtpztVYUmgryUtCe
JAdue03kYBlYNmKDk9DAtxqSHYY+uAI4ls109hsrUY3N2N8Nc2gKeWh43YT3YbuV
MhP7IpYQoAQSZgYPibQzwmBkrIlNEaWjhPB3VE95RCLiI/0MU31hzlzI39YYTmhO
22FZyIYC9ATyolZK556KCNJMZjoKL96AXKF4iWOTz1bNwC5cgaPrjV58+5cj1bte
BsABn6kKEOzPDp6rfVtaGOaFQblMTEhz1ODFP90U8I5m181FlYdxu2PbTzt45NM8
uXJ+auga/FCVQNDZHAtRx6/dMS67wED36q98OD+HJsTKITe0yV054oo5isONdB4W
yfqxRBmc3+jgkSVPG2z6iE7IABPdFs+HYNiMefs0S+fvvyLZbb0+p7iCus1Wxs3k
gRC2i+mSY/QrCuhTfA==
=uZEw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Feb 2017 07:32:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon