| Summary: | ansible new security issues fixed upstream in 1.5.5 (CVE-2014-465[789], CVE-2014-4660) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, makowski.mageia, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/596583/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok MGA4-64-OK | ||
| Source RPM: | ansible-1.4.3-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-04-28 19:11:57 CEST
David Walser
2014-04-28 19:12:04 CEST
Whiteboard:
(none) =>
MGA4TOO I have uploaded into cooker ansible 1.5.5
David Walser
2014-04-29 02:44:17 CEST
Version:
Cauldron =>
4 just in case, seems that it is this patch for "Security fix for safe_eval" : https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c and for Security fix for vault : https://github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69 and for apt : https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 CC:
(none) =>
makowski.mageia Thanks Philippe, that was helpful. The vault code is not present in 1.4.3, so that's not relevant here. The other two parts are present. The safe_eval patch applies cleanly, and the apt_repository patch applies with minimal modifications. I don't know if we actually need the apt_repository patch since we don't use apt, but I'm not sure exactly how this software is used. I've added both patches. Advisory: ======================== Ansible has been patched with minor security fixes to safe_eval and apt_repository that were fixed upstream in version 1.5.5. References: https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132215.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.4.3-1.1.mga4 from ansible-1.4.3-1.1.mga4.src.rpm CC:
(none) =>
bruno tested ok under Mga4 64 (generic test only)
only a simple test with a distant box where you have ssh access and your ssh-key setup in :
create a file, for example /tmp/hosts with the ip address if the distant box:
$ cat /tmp/hosts
192.168.0.51
$ ansible -i /tmp/hosts all -m ping
192.168.0.51 | success >> {
"changed": false,
"ping": "pong"
}
$Whiteboard:
(none) =>
has_procedure MGA4-64-OK Testing complete mga4 32 Thanks for the procedure Philippe Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure mga4-32-ok MGA4-64-OK Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0269.html Status:
NEW =>
RESOLVED FYI, Michael Scherer requested CVEs for this: http://openwall.com/lists/oss-security/2014/06/23/10 The safe_eval issue was assigned CVE-2014-4657. The apt_repository issues were assigned CVE-2014-4659 and CVE-2014-4660. CVE-2014-4658 was assigned for the vault issue only in 1.5.x. Details are here: http://openwall.com/lists/oss-security/2014/06/26/19 Updated advisory below. Advisory: ======================== Ansible has been patched with minor security fixes to safe_eval (CVE-2014-4657) and apt_repository (CVE-2014-4659, CVE-2014-4660) that were fixed upstream in version 1.5.5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4660 https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-April/132215.html Summary:
ansible new security issues fixed upstream in 1.5.5 =>
ansible new security issues fixed upstream in 1.5.5 (CVE-2014-465[789], CVE-2014-4660) |