Bug 19740

From https://bugzilla.redhat.com/show_bug.cgi?id=1388113 version 1.9 is not affected by CVE-2016-8628

The other CVE is also valid for 1.9 per https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96 and https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96

I'll look at applying these to our 1.9 version in order to avoid upgrading it to 2.2.0.0 and create migration issues.

removing cauldron, as we have version 2.2.0.0 in cauldron.

CC: (none) => mageia
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Seems I messed up the ref upper, and missed the second one which is:
https://github.com/ansible/ansible-modules-core/commit/08017c2be0991877bd4bb6d14ba2ff9450f17184

Status: NEW => ASSIGNED

Uploaded a version to updates_testing
Seems that only one patch was needed the other one was already part of the code.

Assignee: bruno => qa-bugs
Source RPM: ansible-2.1.1.0-1.mga6.src.rpm => ansible-1.9.6-1.mga5.src.rpm

Please don't forget to post the advisory here Bruno (and if you also uploaded it to SVN yourself, mark that on the whiteboard): https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29

For basic testing, this needs a couple of networked computers with ssh access using ssh key. The procedure below is taken from:
 https://bugs.mageia.org/show_bug.cgi?id=16309#c9    [thanks Philippe]
 https://bugs.mageia.org/show_bug.cgi?id=16309#c12   [thanks Shlomi]
---
create a file, for example /tmp/hosts with the ip address if the distant box:
 $ cat /tmp/hosts 
192.168.0.51
 $ ansible -i /tmp/hosts all -m ping
192.168.0.51 | success >> {
    "changed": false, 
    "ping": "pong"
}

Another example:
 $ cat /tmp/hosts 
10.0.0.5
10.0.0.10
 $ ansible -i /tmp/hosts all -m ping
10.0.0.5 | success >> {
    "changed": false,
    "ping": "pong"
}

10.0.0.10 | success >> {
    "changed": false,
    "ping": "pong"
}
---

CC: (none) => lewyssmith
Whiteboard: (none) => has_procedure

MGA5-32 on AcerD620 Xfce
No installation issues
I fail to understand this.I generated on the test laptop
[xxxx@yyyy .ssh]$ ssh-keygen -t rsa
no passphrase used
then
[xxxx@yyyy .ssh]$ ssh-copy-id aaaa@bbbb
Password: 
Now try logging into the machine, with "ssh 'aaaa@bbbb'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

note that the users xxxx and aaaa are not the same
then

[xxxx@yyyy .ssh]$ ssh 'aaaa@bbbb'
Last login: Fri Jan 13 09:59:45 2017
[aaaa@bbbb ~]$ exit
logout
[3;J
Connection to bbbb closed.
[xxxx@yyyy .ssh]$ ansible -vvvv -i /tmp/hosts all -m ping
<192.168.2.1> ESTABLISH CONNECTION FOR USER: xxxx
<192.168.2.1> REMOTE_MODULE ping
<192.168.2.1> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/tester5/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 192.168.2.1 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && echo $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196'
192.168.2.1 | FAILED => SSH Error: Permission denied (publickey,password,keyboard-interactive).
    while connecting to 192.168.2.1:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

note that 192.168.2.1 is in the /tmp/hosts file

CC: (none) => herman.viaene

in your case you should then use :
[xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping

CC: (none) => makowski.mageia

Tx Philippe, that did the trick, now I get
[xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping
bbbbb | success >> {
    "changed": false,
    "ping": "pong"
}

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Please provide an advisory. TIA.
And thanks Herman for your test.

Advisory:
========================

Updated ansible packages fix security vulnerability:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/

Advisory uploades, but it *lacks the SRPM*. Please can someone add that to it.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Fedora has issued an advisory today (January 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/

Ansible 2.2.1 fixes at least two more security issues.

CC: (none) => qa-bugs
Version: 5 => Cauldron
Assignee: qa-bugs => bruno
Summary: ansible new security issues CVE-2016-8614 and CVE-2016-8628 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587
Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5TOO

CVE-2016-8647:
https://lwn.net/Vulnerabilities/712665/

CVE-2016-9587:
https://lwn.net/Vulnerabilities/712658/

(In reply to David Walser from comment #15)
> CVE-2016-8647:
> https://lwn.net/Vulnerabilities/712665/
> 
> CVE-2016-9587:
> https://lwn.net/Vulnerabilities/712658/

https://bugs.mageia.org/show_bug.cgi?id=20115

Fedora has issued an advisory today (April 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/

It fixes a new issue, CVE-2017-7466.

Summary: ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7466

Hello,

Sorry for being late :-( I have now uploaded 2.3.0.0 to cauldron ans asked for a freeze push. That will fix these issues. 

Now what do you want we do for mga5 ? Should I backport it ? (I'm currently using 2.1.1.0 on mga5 without issues)

It's up to you.  If updating it fixes all of the remaining issues and that's easier than backporting the remaining patches, that's fine.  We've updated ansible in the past without issues.

Version: Cauldron => 5
Whiteboard: has_procedure MGA5TOO => has_procedure

I've pushed ansible 2.3.0.0 for mga5 as well now.

If CVE-2016-9587 didn't affect Mageia 5, then CVE-2017-7466 wouldn't either (as it's for an incomplete fix for the former), so not listing it in the advisory.  Keep in mind that the advisory in SVN needs to be updated accordingly.

Bruno, if I recall correctly, we needed to update Cauldron from 2.3.0.0 to 2.3.1.0 to fix a regression.  Shouldn't we do the same here?

Advisory:
========================

Updated ansible packages fix security vulnerabilities:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

It is reported that in Ansible, under some circumstances the mysql_user module
may fail to correctly change a password. Thus an old password may still be
active when it should have been changed (CVE-2016-8647).

The ansible package has been updated to version 2.3 to fix these issues and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647
https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/
========================

Updated packages in core/updates_testing:
========================
ansible-2.3.0.0-2.mga5

from ansible-2.3.0.0-2.mga5.src.rpm

It looks as if this update needs to be recycled for re-testing. It is not currently in madb/tools/updates. I will revise the Advisory.

Bruno hasn't assigned it back to QA yet.  I'm waiting to see if we need to update it again.

Thanks for the clarification. I shall leave the defunct Advisory alone until then.

Updated to 2.3.1.0 as well in parity with cauldron now.

Target Milestone: --- => Mageia 5
Assignee: bruno => qa-bugs

Thanks, and wouldn't you know that 2.3.1 has another security fix.  Please do try to reset the release tag to 1 in the future when upgrading a package for stable.

Advisory:
========================

Updated ansible packages fix security vulnerabilities:

It was found that apt_key module does not properly verify key fingerprints,
allowing remote adversary to create an OpenPGP key which matches the short key
ID and inject this key instead of the correct key (CVE-2016-8614).

It is reported that in Ansible, under some circumstances the mysql_user module
may fail to correctly change a password. Thus an old password may still be
active when it should have been changed (CVE-2016-8647).

Data for lookup plugins used as variables was not being correctly marked as
"unsafe" (CVE-2017-7481).

The ansible package has been updated to version 2.3.1 to fix these issues and
several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481
https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/
========================

Updated packages in core/updates_testing:
========================
ansible-2.3.1.0-2.mga5

from ansible-2.3.1.0-2.mga5.src.rpm

CC: (none) => bruno

Advisory updated from Comment 26.

Whiteboard: has_procedure => has_procedure advisory

Testing on x86_64.
I use non standard ports for ssh to avoid having script kiddies fill my logs. In my test, the word munged is replaced by the port number I use for that host.
in the below example.
$ echo '192.168.10.101:munged'>/tmp/hosts
$ ansible -i /tmp/hosts all -m ping
192.168.10.101 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

Tested on i586 with same results. I did note that it has added requires ...
# urpmi ansible
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  libdbusglib-gir1.0             1.42.0       3.mga5        i586    
(medium "Core Updates (distrib3)")
  libnetworkmanager-gir1.0       1.0.12       1.1.mga5      i586    
  libnm-glib4                    1.0.12       1.1.mga5      i586    
  libnm-util2                    1.0.12       1.1.mga5      i586    
  libnm0                         1.0.12       1.1.mga5      i586    
  libnmclient-gir1.0             1.0.12       1.1.mga5      i586    
(medium "Core Updates Testing (distrib5)")
  ansible                        2.3.1.0      2.mga5        noarch

Same results in testing before and after installing the updated version.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0164.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED