Your message dated Sat, 30 Nov 2024 21:35:42 +0000
with message-id <[email protected]>
and subject line Bug#1088106: fixed in ansible-core 2.18.0-2
has caused the Debian Bug report #1088106,
regarding ansible-core: CVE-2024-11079
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088106
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ansible-core
Version: 2.18.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ansible-core.
CVE-2024-11079[0]:
| A flaw was found in Ansible-Core. This vulnerability allows
| attackers to bypass unsafe content protections using the hostvars
| object to reference and execute templated content. This issue can
| lead to arbitrary code execution if remote data or module outputs
| are improperly templated within playbooks.
We mark this no-dsa for bookworm, but can you double-check the
upstrema status and if there is a upstream reference? So far only the
Red Hat Bugzilla entry at [1] is known.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-11079
https://www.cve.org/CVERecord?id=CVE-2024-11079
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2325171
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ansible-core
Source-Version: 2.18.0-2
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ansible-core, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated ansible-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Nov 2024 17:21:42 +0000
Source: ansible-core
Architecture: source
Version: 2.18.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1088106
Changes:
ansible-core (2.18.0-2) unstable; urgency=medium
.
* Team upload
* Fix CVE-2024-11079: This vulnerability allows attackers
to bypass unsafe content protections using the
hostvars object to reference and execute templated content.
This issue can lead to arbitrary code execution if remote
data or module outputs are improperly templated within playbooks
(Closes: #1088106).
Checksums-Sha1:
b28534fc92389a5e265f108142687217825dc322 2499 ansible-core_2.18.0-2.dsc
98f28b274ac561cbd8e54c1f4f97233fea428d99 29976
ansible-core_2.18.0-2.debian.tar.xz
b1dad5714f67734325e1e4302a8e0cf39970516c 7509
ansible-core_2.18.0-2_amd64.buildinfo
Checksums-Sha256:
d4573f2ca56ef84b14ab4fac73649cb205d124fde36bb05878d0ff973187f39e 2499
ansible-core_2.18.0-2.dsc
76aee8f36942a35fb4bd936f1cf63aac7188d864eed6d643c6d530af0132767a 29976
ansible-core_2.18.0-2.debian.tar.xz
307481c7067358c33bce9e9c621f51be7eeb14f63c6a1a9700c1e9c328c9d72f 7509
ansible-core_2.18.0-2_amd64.buildinfo
Files:
1193d889a7b8089c9c9d9870343256a7 2499 admin optional ansible-core_2.18.0-2.dsc
b1eeb21659be1896792dff0b9e1181cf 29976 admin optional
ansible-core_2.18.0-2.debian.tar.xz
ceda5463a5b4fe97265976e82ab9c2a9 7509 admin optional
ansible-core_2.18.0-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdLhBQRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+orA/7B1xFEn/G3WLNBYMvpPFstMpq2HoSqTPf
0eGCsVqmT2PGONhqfOJ3qJOFnPdfyK6c9HUAFYrhZtoPiaOwNLveVfxBEH8UIdqH
eyC6pAKb09Lg0A1wX0adG+aA64f7PmoERc2l0ePkTG8LpGseerQK8wbcO8b0w3ly
wtqcFZkC+7LLgfR9/B/osxfEj/E0027eoTzDIDZI8tAAuuJdARcUhE+avNDU8daY
ZuKi3ob0wxBhshQHW9Z41FlqutqCpsirVJzCplVXeiTQHhb0bg7hwI/61v//HC2y
gguoVaxHUkp+h7GyItdEh77a64mb4lumJFR3uEGBgozqDKuL39xkTyHTKcTgMSqy
8/v1wbiERQxfABbQMiGK3lyWRkcruZXn5grRwjVwZyLzhCSoYR8ZF60vWy6++yhY
SRI4tZ4p6lDoUdxJhcwNF6eRmDw1EdX5dIuuNE0QSJbcRwcK6VQvHbM5o1eFfLIC
kpIuKJ7+L/wvY95KvieKwNZvhNnHCIpI/ny3I+TELWyA9hOlZzeM8D5SZgW9/mlo
6/ZXOBsKb+45cZqeekD2ALSN95387xNgWNHu1LNV/fo5XmyR7vwT81jTO1mTsOF6
j9XIdfFEXPXnUDXtAeKV35vmgyfEY19WGlA6vtIG+IAU6CGTGPuf732HdrBKh5XS
VTlKD3XGXi8=
=E1qc
-----END PGP SIGNATURE-----
pgpjUWgd3k20i.pgp
Description: PGP signature
--- End Message ---
