Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2015-3908

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Related bugs and status

CVE-2015-3908 (Candidate) is related to these bugs:

Bug #1466216: Upgrade to ansible 1.9.2 when released

		In	Importance	Status
1466216	Upgrade to ansible 1.9.2 when released	OpenStack-Ansible	High	Fix Released
1466216	Upgrade to ansible 1.9.2 when released	OpenStack-Ansible kilo	High	Fix Released
1466216	Upgrade to ansible 1.9.2 when released	OpenStack-Ansible trunk	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2015071...
CONFIRM: http://www.ansible.com...
SUSE: openSUSE-SU-2015:1280
SUSE: openSUSE-SU-2015:1452
MLIST: [debian-lts-announce] ...