A vulnerability in Ansible may allow local attackers to gain escalated privileges or write arbitrary files.
Package | app-admin/ansible on all architectures |
---|---|
Affected versions | < 2.0.2.0-r1 |
Unaffected versions | >= 2.0.2.0-r1 revision >= 1.9.6 |
Ansible is a radically simple IT automation platform.
The create_script function in the lxc_container module of Ansible uses predictable temporary file names, making it vulnerable to a symlink attack.
Local attackers could write arbitrary files or gain escalated privileges within the container.
There is no known workaround at this time.
All Ansible 1.9.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-1.9.6"
All Ansible 2.0.2.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.0.2.0-r1"
Release date
July 20, 2016
Latest revision
July 20, 2016: 2
Severity
normal
Exploitable
local
Bugzilla entries