Name | CVE-2016-8614 |
Description | A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 842984 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
ansible (PTS) | jessie, jessie (lts) | 1.7.2+dfsg-2+deb8u3 | fixed |
| stretch (security), stretch (lts), stretch | 2.2.1.0-2+deb9u3 | fixed |
| buster (security), buster, buster (lts) | 2.7.7+dfsg-1+deb10u2 | fixed |
| bullseye | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 | fixed |
| bullseye (security) | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 | fixed |
| bookworm | 7.7.0+dfsg-3+deb12u1 | fixed |
| sid, trixie | 11.1.0+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
ansible | source | jessie | (not affected) | | | |
ansible | source | (unstable) | 2.2.0.0-1 | | | 842984 |
Notes
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
Fixed upstream in v2.2.0.0-1
https://github.com/ansible/ansible-modules-core/issues/5237
https://github.com/ansible/ansible-modules-core/pull/5353
https://github.com/ansible/ansible-modules-core/pull/5357