[stable-6] inventory plugins: make data obtained from remote unsafe (#8147)

inventory plugins: make data obtained from remote unsafe (#8098) Make data obtained from remote unsafe. (cherry picked from commit d62fe154d2)
2026-05-07 05:42:50 +00:00 · 2024-03-25 06:50:17 +01:00
parent 12df7f7a95
commit d250bb5217
14 changed files with 83 additions and 46 deletions
--- a/changelogs/fragments/inventory-rce.yml
+++ b/changelogs/fragments/inventory-rce.yml
@@ -0,0 +1,6 @@
+security_fixes:
+  - "cobbler, gitlab_runners, icinga2, linode, lxd, nmap, online, opennebula, proxmox, scaleway, stackpath_compute, virtualbox,
+     and xen_orchestra inventory plugin - make sure all data received from the remote servers is marked as unsafe, so remote
+     code execution by obtaining texts that can be evaluated as templates is not possible
+     (https://www.die-welt.net/2024/03/remote-code-execution-in-ansible-dynamic-inventory-plugins/,
+      https://github.com/ansible-collections/community.general/pull/8098)."