[estefan]

Am I the only one who finds it pretty unprofessional to release the exploits when the fixed version hasn't been released yet (and anyway was only scheduled to have been released 48 hours beforehand)?

I'm all for disclosure, but seriously - if RH want Ansible to be used in enterprise they can't expect patches at this rate. The researchers releasing the exact exploits so quickly is just irresponsible IMO.

[tptacek]

No, you're not the only one, but this is one of the oldest debates in computer security --- possibly the oldest debate --- and at least as many people as agree with you vigorously disagree and think that delaying information to conform with enterprise patch cycles does harm to organizations with strong security teams who can handle and respond to reports like this; those organizations tend to be the ones with the most users and the most sensitive data to protect.

While I sympathize far more with the full disclosure people than with the patch choreography people, I'm really only pointing this out to demonstrate that you're not going to resolve this debate in the HN comments about an Ansible vulnerability.

[knocte]

But to be a victim of this vulnerability you need to have one of the hosts already compromised AFAIU, so I don't think it's that severe.

[brianwawok]

Any exploit that turns a 1 host hack into hack entire data enter with root access seems worth a patch....

[emmelaich]

The article says fixes have been released.

> Resolution ---------- Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.

[estefan]

The article is wrong. Pypi only shows 2.2.0 released in November. That's my point.

[ckrailo]

Pypi isn't the source-of-record for Ansible releases...

Latest can be found here: https://github.com/ansible/ansible/releases or https://releases.ansible.com/

[estefan]

There are only release candidates of the fixed versions on https://releases.ansible.com/