CVE-2016-9587

NameCVE-2016-9587
DescriptionAnsible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs850846

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie, jessie (lts)1.7.2+dfsg-2+deb8u3fixed
stretch (security), stretch (lts), stretch2.2.1.0-2+deb9u3fixed
buster (security), buster, buster (lts)2.7.7+dfsg-1+deb10u2fixed
bullseye2.10.7+merged+base+2.10.17+dfsg-0+deb11u1fixed
bookworm7.7.0+dfsg-3+deb12u1fixed
sid, trixie10.6.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcejessie(not affected)
ansiblesource(unstable)2.2.0.0-3850846

Notes

[jessie] - ansible <not-affected> (Vulnerable code not present, way ssh commands was reworked in 2.x branch)
Fixed by: https://github.com/ansible/ansible/commit/ec84ff6de6eca9224bf3f22b752bb8da806611ed (v2.2.1.0-0.3.rc3)
Fixed by: https://github.com/ansible/ansible/commit/eb8c26c105e8457b86324b64a13fac37d8862d47 (v2.2.1.0-0.4.rc4)
Fixed by: https://github.com/ansible/ansible/commit/cc4634a5e73c06c6b4581f11171289ca9228391e (v2.2.1.0-0.4.rc4)
Fix in 2.2.0.0-2 only partially addressed the issues, and needed a follow-up, 2.2.0.0-3

Search for package or bug name: Reporting problems