It was found that apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. Upstream bug: https://github.com/ansible/ansible-modules-core/issues/5237 Upstream patches: https://github.com/ansible/ansible-modules-core/pull/5353 https://github.com/ansible/ansible-modules-core/pull/5357
Created ansible1.9 tracking bugs for this issue: Affects: fedora-all [bug 1390651] Affects: epel-all [bug 1390653]
Created ansible tracking bugs for this issue: Affects: fedora-all [bug 1390650] Affects: epel-all [bug 1390652]
This issue is addressed in Ansible 2.2.0 available at: https://github.com/ansible/ansible/releases/tag/v2.2.0.0-1