Advisories » MGASA-2016-0163

Updated ansible packages fix CVE-2016-3096

Publication date: 05 May 2016
Modification date: 05 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3096

Description

Updated ansible package fixes security vulnerability:

A vulnerability in lxc_container, ansible module, was found allowing to get
root inside the container. The problem is in the create_script function, which
tries to write to /opt/.lxc-attach-script inside of the container. If the
attacker can write to /opt/.lxc-attach-script before that, he can overwrite
arbitrary files or execute commands as root (CVE-2016-3096).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18275
• https://github.com/ansible/ansible/blob/stable-1.9/CHANGELOG.md
• https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3096

SRPMS

5/core

• ansible-1.9.6-1.mga5