Red Hat Product Errata RHSA-2017:2524 - Security Advisory

Issued:: 2017-08-22
Updated:: 2017-08-22

RHSA-2017:2524 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: ansible security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for ansible is now available for RHEV Engine version 4.1.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

The following packages have been upgraded to a later upstream version: ansible (2.3.1.0). (BZ#1477925)

Security Fix(es):

An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. (CVE-2017-7481)

This issue was discovered by Evgeni Golov (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Virtualization 4.1 x86_64
Red Hat Virtualization Manager 4.1 x86_64

Fixes

BZ - 1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
BZ - 1477925 - Upgrade ansible to version 2.3.1.0

CVEs

CVE-2017-7481

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4.1

SRPM
ansible-2.3.1.0-3.el7.src.rpm	SHA-256: 8c46ecd9a962c422832b994e9b76168360a93db7955de74362a7042164525606
x86_64
ansible-2.3.1.0-3.el7.noarch.rpm	SHA-256: b8e8e18aa800a9e47692f6b9ce28df2054324d017d2c4913a8f253bef3fafc00
ansible-doc-2.3.1.0-3.el7.noarch.rpm	SHA-256: e1dc27a4a00725cb3f151d0f10a212749f9a233cb39eb526324376558d0fc569

Red Hat Virtualization Manager 4.1

SRPM
ansible-2.3.1.0-3.el7.src.rpm	SHA-256: 8c46ecd9a962c422832b994e9b76168360a93db7955de74362a7042164525606
x86_64
ansible-2.3.1.0-3.el7.noarch.rpm	SHA-256: b8e8e18aa800a9e47692f6b9ce28df2054324d017d2c4913a8f253bef3fafc00
ansible-doc-2.3.1.0-3.el7.noarch.rpm	SHA-256: e1dc27a4a00725cb3f151d0f10a212749f9a233cb39eb526324376558d0fc569

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories