CVE-2016-8614

NameCVE-2016-8614
DescriptionA flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs842984

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie1.7.2+dfsg-2fixed
jessie (security)1.7.2+dfsg-2+deb8u1fixed
stretch (security), stretch2.2.1.0-2+deb9u1fixed
buster2.7.7+dfsg-1fixed
bullseye, sid2.7.8+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)2.2.0.0-1medium842984
ansiblesourcejessie(not affected)

Notes

[jessie] - ansible <not-affected> (Vulnerable code introduced later)
Fixed upstream in v2.2.0.0-1
https://github.com/ansible/ansible-modules-core/issues/5237
https://github.com/ansible/ansible-modules-core/pull/5353
https://github.com/ansible/ansible-modules-core/pull/5357

Search for package or bug name: Reporting problems