FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ansible -- use of predictable paths in lxc_container

Affected packages
2.0.0.0	<=	ansible	<	2.0.2.0
		ansible1	<	1.9.6

Details

VuXML ID	253c6889-06f0-11e6-925f-6805ca0b3d42
Discovery	2016-04-02
Entry	2016-04-20

Ansible developers report:

CVE-2016-3096: do not use predictable paths in lxc_container

do not use a predictable filename for the LXC attach script

don't use predictable filenames for LXC attach script logging

don't set a predictable archive_path

this should prevent symlink attacks which could result in

data corruption

data leakage

privilege escalation

[source]

References

CVE Name	CVE-2016-3096
URL	https://bugzilla.redhat.com/show_bug.cgi?id=1322925
URL	https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4