Overview
Request 537596 accepted
CVE-2017-7481: Security issue with lookup return not tainting the jinja2 environment (bsc#1038785)
CVE-2016-9587: host to controller command execution vulnerability (bsc#1019021)
CVE-2016-8628: Command injection by compromised server via fact variables (bsc#1008037)
CVE-2016-8614: Improper verification of key fingerprints in apt_key module (bsc#1008038)
- Created by AndreasStieger
- In state accepted
- Supersedes 537425
-
Open review for
backports-reviewers
This is an upstream update anyway.
So being an ansible user mayself I strongly recommend to rather use upstream release 2.4.1.0 which fixes some issues found in 2.4.0.0.
Would you then either approve, reject, supersede or submit updates to the stable distributions pro-actively?
I'm not the one who decides on this.
But I'd support it because given the fast pace of ansible releases with important security and functional fixes it's a very bad idea to fall behind. Back-porting security fixes would be a pain and nobody relying on ansible would want to use such a patched ansible package anyway.
Request History
AndreasStieger created request
CVE-2017-7481: Security issue with lookup return not tainting the jinja2 environment (bsc#1038785)
CVE-2016-9587: host to controller command execution vulnerability (bsc#1019021)
CVE-2016-8628: Command injection by compromised server via fact variables (bsc#1008037)
CVE-2016-8614: Improper verification of key fingerprints in apt_key module (bsc#1008038)
maintbot added factory-source as a reviewer
maintbot added as a reviewer
Submission for ansible by someone who is not maintainer in the devel project (systemsmanagement). Please review
maintbot accepted review
ok
factory-source added backports-reviewers as a reviewer
Automated review failed. Needs fallback reviewer.
factory-source accepted review
the package needs to be accepted in openSUSE:Factory or openSUSE:Leap:42.2:Update or openSUSE:Leap:42.2 or openSUSE:Leap:42.1:Update or openSUSE:Leap:42.1 first
stroeder accepted review
AndreasStieger accepted request
start update, again bypassing backports-reviewers
Although this is an upstream release update I strongly support it because given the fast pace of ansible releases with important security and functional fixes it's a very bad idea to fall behind.
Back-porting security fixes would be a pain and nobody seriously using on ansible would want to use such a patched ansible package anyway.
Please accept the review on this case
This also fixes CVE-2017-7550, not mentioned in the changelog