Bug#1070193: bookworm-pu: package ansible-core/2.14.16-0+deb12u1
Hi lee,
On Sat, Jun 15, 2024 at 11:25:26PM +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
>
> On Wed, May 01, 2024 at 05:05:05PM +0200, Lee Garrett wrote:
> > [ Reason ]
> > This is a bugfix-only update from ansible-core 2.14.3 to 2.14.16. This fixes
> > three CVEs:
> > - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
> > - Address issues where internal templating can cause unsafe variables to
> > lose their unsafe designation (CVE-2023-5764)
> > - Prevent roles from using symlinks to overwrite files outside of the
> > installation directory (CVE-2023-5115)
> >
> > and various other bugfixes as seen here:
> > https://salsa.debian.org/python-team/packages/ansible-core/-/blob/debian/bookworm-proposed/changelogs/CHANGELOG-v2.14.rst
>
> 1051 files changed, 8802 insertions(+), 159082 deletions(-)
>
> Normally I'd been looking for targetted fixes for the security issues but
> upstream's descriptive changelog does look quite sensible.
>
> You might want to change your version number - if 2.14.16-1 was never in
> sid you could use that. A +/~ revision to a version which never existed
> feels odd, as do -0 Debian versions (-1 being the first Debian release of
> this upstream version, -0 is... the zeroth?).
did you saw the ack from Jonathan?
Regards,
Salvatore
Reply to: