On 16.06.24 00:25, Jonathan Wiltshire wrote:
Control: tag -1 confirmed
On Wed, May 01, 2024 at 05:05:05PM +0200, Lee Garrett wrote:
[ Reason ]
This is a bugfix-only update from ansible-core 2.14.3 to 2.14.16. This fixes
three CVEs:
- Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
- Address issues where internal templating can cause unsafe variables to
lose their unsafe designation (CVE-2023-5764)
- Prevent roles from using symlinks to overwrite files outside of the
installation directory (CVE-2023-5115)
and various other bugfixes as seen here:
https://salsa.debian.org/python-team/packages/ansible-core/-/blob/debian/bookworm-proposed/changelogs/CHANGELOG-v2.14.rst
1051 files changed, 8802 insertions(+), 159082 deletions(-)
Normally I'd been looking for targetted fixes for the security issues but
upstream's descriptive changelog does look quite sensible.
You might want to change your version number - if 2.14.16-1 was never in
sid you could use that. A +/~ revision to a version which never existed
feels odd, as do -0 Debian versions (-1 being the first Debian release of
this upstream version, -0 is... the zeroth?).
I double-checked if it was me or the tooling that set the version number to
2.14.16-0+deb12u1, and it's even part of official policy:
https://www.debian.org/doc/debian-policy/ch-controlfields.html#special-version-conventions
-> stable-updates -> bullet point 3
So I'll go ahead and upload as is unless you have any reservations.
Greetings,
Lee
