| Summary: | ansible new security issues fixed upstream in 1.6.7 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bruno, makowski.mageia, sysadmin-bugs, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | Mageia 4 | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/605177/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | ansible-1.5.5-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-07-02 17:22:27 CEST
David Walser
2014-07-02 17:22:34 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Fedora has issued an advisory for this on July 3: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html URL:
(none) =>
http://lwn.net/Vulnerabilities/605177/ More CVEs have been assigned for issues fixed in 1.6.7 (CVE-2014-496[67]): http://openwall.com/lists/oss-security/2014/07/22/1 https://github.com/ansible/ansible/blob/release1.6.7/CHANGELOG.md Summary:
ansible new security issues fixed upstream in 1.6.6 =>
ansible new security issues fixed upstream in 1.6.7 Ansible 1.6.8 is out and fixes regressions: https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md Maybe we should just update everything to 1.6.8? Done for cauldron and mga4 (not found for mga3). Adv prepared. Status:
NEW =>
ASSIGNED (In reply to Bruno Cornec from comment #4) > Done for cauldron and mga4 (not found for mga3). Oops, yes, no mga3 :o) Thanks! You may have noticed it didn't build, however :o( (In reply to Bruno Cornec from comment #4) > Adv prepared. Where? Assignee:
security =>
bruno (In reply to David Walser from comment #5) > (In reply to Bruno Cornec from comment #4) > > Done for cauldron and mga4 (not found for mga3). > > Oops, yes, no mga3 :o) Thanks! > > You may have noticed it didn't build, however :o( Also, the subrel should be removed in the Mageia 4 update. It's now built and uploaded in the repos correctly (was a missing BuildRequire) Adv is in SVN as per instuctions (simple one) subrel was removed (Is it just necessary when the version remains the same ?) Status:
ASSIGNED =>
RESOLVED Yes, the subrel is only needed when the version doesn't change. The release tag should go back to 1 when the version is updated. This can't be marked as fixed until the Mageia 4 update is tested and released. QA: the Mageia 4 update is ansible-1.6.8-2.mga4 from ansible-1.6.8-2.mga4.src.rpm Status:
RESOLVED =>
REOPENED Advisory: ======================== Updated ansible package fixes security vulnerabilities: The Ansible platform before version 1.6.7 suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables (CVE-2014-4678, CVE-2014-4966, CVE-2014-4967). The ansible package has been updated to version 1.6.8, which fixes these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967 http://openwall.com/lists/oss-security/2014/07/02/2 http://www.ocert.org/advisories/ocert-2014-004.html https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.6.8-2.mga4 from ansible-1.6.8-2.mga4.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13278#c4 Whiteboard:
(none) =>
has_procedure Bruno, could we get this updated to 1.6.10? 1.6.9 fixes regressions related to the security fixes. https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md Adding feedback marker and awaiting new version. Whiteboard:
has_procedure =>
has_procedure feedback Fedora has issued an advisory for CVE-2014-496[67] on July 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html from http://lwn.net/Vulnerabilities/608197/ They updated to 1.6.10. CC:
(none) =>
qa-bugs Pushed 1.6.10 in cauldron and 4 as core/updates_testing Target Milestone:
--- =>
Mageia 4 Thanks Bruno! Advisory: ======================== Updated ansible package fixes security vulnerabilities: The Ansible platform before version 1.6.7 suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables (CVE-2014-4678, CVE-2014-4966, CVE-2014-4967). The ansible package has been updated to version 1.6.8, which fixes these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967 http://openwall.com/lists/oss-security/2014/07/02/2 http://www.ocert.org/advisories/ocert-2014-004.html https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.6.10-1.mga4 from ansible-1.6.10-1.mga4.src.rpm CC:
qa-bugs =>
(none) In VirtualBox, M4, KDE, 32-bit Package(s) under test: ansible default install of ansible [root@localhost ~]# urpmi ansible Package ansible-1.4.3-1.1.mga4.noarch is already installed I created two Vbox clients ansible source & ansible target The IP of the target is 192.168.1.125 I then installed ansible in the source and that created /etc/ansible/hosts which simply contained 192.168.1.125. I then executed: [root@localhost ~]# ansible -i /etc/ansible all -m ping ERROR: Invalid ini entry: /etc/ansible/hosts - need more than 1 value to unpack And ansible errored out. So the test proceedure in: https://bugs.mageia.org/show_bug.cgi?id=13278#c4 failed for me. Is there a better one? Or am I doing somthing wrong. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 CC:
(none) =>
wilcal.int Did you set bridged networking for the vbox clients Bill? It will not be accessible remotely otherwise, could be the cause of the error. Good question. I have four Vbox clients that I use as standards. Those clients are M3 32 & 64bit, M4 32 & 64bit. I keep all those clients, and the host, updated daily. Yes those four clients are connected to the LAN using the bridged mode so the LAN router is assigning a DHCP address. I do not change the Vbox assigned MAC addresses when I clone them for test. The only time I may use a NAT connection is with preliminary testing of a Live-CD/DVD. As I test an update, say for ansible, I clone the appropriate saved standard client calling it another name and test that not the saved standard clients. This testing process has been pretty successfully over the last couple Vbox releases. Testing complete mga4 64
Created /tmp/hosts with just the ip of the remote computer in it.
If not already set up on that host for passwordless ssh then do that first.
ie.
Local = 192.168.1.20
remote = 192.168.1.25
/tmp/hosts contains 192.168.2.25
Enable passwordless ssh login
$ ssh-copy-id 192.168.1.25
you should then be able to log in with ssh without a password. Log back out if all is ok.
Then, back on local..
$ ansible -i /tmp/hosts all -m ping
192.168.1.25 | success >> {
"changed": false,
"ping": "pong"
}Whiteboard:
has_procedure =>
has_procedure mga4-64-ok /tmp/hosts contains 192.168.1.25 not 2.25 :\ Testing complete mga4 32 Whiteboard:
has_procedure mga4-64-ok =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory updated. Could sysadmin please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0350.html Status:
REOPENED =>
RESOLVED LWN reference for CVE-2014-4678: http://lwn.net/Vulnerabilities/609508/ |