GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jul 20, 2016 3:26 pm Post subject: [ GLSA 201607-14 ] Ansible |
|
|
Gentoo Linux Security Advisory
Title: Ansible: Privilege escalation (GLSA 201607-14)
Severity: normal
Exploitable: local
Date: July 20, 2016
Bug(s): #578814
ID: 201607-14
Synopsis
A vulnerability in Ansible may allow local attackers to gain
escalated privileges or write arbitrary files.
Background
Ansible is a radically simple IT automation platform.
Affected Packages
Package: app-admin/ansible
Vulnerable: < 2.0.2.0-r1
Unaffected: >= 2.0.2.0-r1
Unaffected: >= 1.9.6 < 1.9.7
Architectures: All supported architectures
Description
The create_script function in the lxc_container module of Ansible uses
predictable temporary file names, making it vulnerable to a symlink
attack.
Impact
Local attackers could write arbitrary files or gain escalated privileges
within the container.
Workaround
There is no known workaround at this time.
Resolution
All Ansible 1.9.x users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/ansible-1.9.6"
| All Ansible 2.0.2.x users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/ansible-2.0.2.0-r1"
|
References
CVE-2016-3096 |
|