Ansible prior 2.2.3 is vulnerable with CVE-2017-7466, CVE-2017-7473, CVE-2017-7481

Bug #1699539 reported by Bjoern
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Invalid
Undecided
Unassigned

Bug Description

Based on https://access.redhat.com/errata/RHSA-2017:1476 all ansible versions prior to 2.2.3 are vulnerable via the CVEs

CVE-2017-7466
CVE-2017-7473
CVE-2017-7481

Is it possible to increase the ansible version for all versions since newton ?

CVE References

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Ocata and master should be fine already.

It's a different story for Newton.

For Newton, I guess we could decide in a community meeting to go forward with an update of ansible for this branch. It was already on the table before, but we abandoned the idea, IIRC.

There will be a large body of work to be done there, as Ansible will need to be updated for all the depending roles too, and I expect an Ansible update to bring breaking changes.

I guess it all depends on your willingness to contribute, and the effort the community is ready to put into this old branch. The simpler is, as always, update to a more recent version...

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

FYI, https://groups.google.com/d/msg/Ansible-project/Ujv-faZqEpQ/hiojajX4BAAJ shows that if we have 2.1.6 we should at least cover CVE-2017-7481. I haven't seen for the others.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Because we are running 2.1.6.0 we are protected on that side.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

The bug itself is considered as Invalid, but if you want to bump the version, we can discuss that in another bug.

Changed in openstack-ansible:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.