Updated ansible package fixes multiple security issues
Publication date: 25 Aug 2014Modification date: 25 Aug 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-4678 , CVE-2014-4966 , CVE-2014-4967
Description
Updated ansible package fixes security vulnerabilities:
The Ansible platform before version 1.6.7 suffers from input sanitization
errors that allow arbitrary code execution as well as information leak, in
case an attacker is able to control certain playbook variables
(CVE-2014-4678, CVE-2014-4966, CVE-2014-4967).
The ansible package has been updated to version 1.6.8, which fixes these
issues and several other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=13649
- http://openwall.com/lists/oss-security/2014/07/02/2
- http://www.ocert.org/advisories/ocert-2014-004.html
- https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md
- https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967
SRPMS
4/core
- ansible-1.6.10-1.mga4