[3.5] ansible: host to controller command execution vulnerability (CVE-2016-9587)
An input validation vulnerability was found in Ansible’s handling of
data sent from client systems. An attacker with control over a client
system being managed
by Ansible and the ability to send facts back to the Ansible server
could use this flaw to execute arbitrary code on the Ansible server
using the Ansible-server privileges.
Fixed in:
Ansible 2.2.1, and 2.1.4
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-9587
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850846
(from redmine: issue id 6783, created on 2017-01-31, closed on 2017-02-02)
- Relations:
- parent #6782 (closed)
- Changesets:
- Revision aff146eb by Sergei Lukin on 2017-02-01T13:16:43Z:
main/ansible: security upgrade to 2.2.1.0 - fixes #6783
CVE-2016-9587: host to controller command execution vulnerability