CVE-2016-8614

NameCVE-2016-8614
DescriptionA flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs842984

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)stretch2.2.1.0-2+deb9u1fixed
stretch (security)2.2.1.0-2+deb9u2fixed
buster2.7.7+dfsg-1fixed
buster (security)2.7.7+dfsg-1+deb10u1fixed
bookworm, sid, bullseye2.10.7+merged+base+2.10.8+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcejessie(not affected)
ansiblesource(unstable)2.2.0.0-1842984

Notes

[jessie] - ansible <not-affected> (Vulnerable code introduced later)
Fixed upstream in v2.2.0.0-1
https://github.com/ansible/ansible-modules-core/issues/5237
https://github.com/ansible/ansible-modules-core/pull/5353
https://github.com/ansible/ansible-modules-core/pull/5357

Search for package or bug name: Reporting problems