Safety vulnerability ID: 34941
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. See: CVE-2017-7481.
Latest version: 11.1.0
Radically simple IT automation
Bugfixes
* Security fix for CVE-2017-7481 - data for lookup plugins used as variables was not being correctly marked as "unsafe".
* Fix default value of fetch module's validate_checksum to be True
* Added fix for "meta: refresh_connection" not working with default 'smart' connection.
* Fix template so that the --diff command line option works when the destination is a directory
* Fix python3 bugs in pam_limits
* Fix unbound error when using module deprecation as a single string
* Several places in which error handling was broken due to bad conversions or just typos
* Fix to user module for appending/setting groups on OpenBSD (flags were reversed)
* assemble fix to use safer os.join.path, avoids charset issues
* fixed issue with solaris facts and i18n
* added python2.4 compatiblity fix to sysctl module
* Fix comparison of exisiting container security opts in the docker_container module
* fixed service module invocation of insserv on certain platforms
* Fix traceback in os_user in an error case.
* Fix docker container to restart a container when changing to fewer exposed ports
* Fix tracebacks in docker_network
* Fixes to detection of updated docker images
* Handle detection of docker image changes when published ports is changed
* Fix for docker_container restarting images when links list is empty.
<a id="2.3"></a>
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application