Bug 28832

Assigning to NicolasL (did the 2.9.18 commit); CC'ing Bruno whose SRPM this nominally is.

Assignee: bugsquad => mageia
CC: (none) => bruno

Another equivalent advisory:
https://access.redhat.com/errata/RHSA-2021:1342

Updates for cauldron and mga8 on their way. Looking at what to do for mga7

Status: NEW => ASSIGNED

ansible 2.9.22 pushed to cauldron and mga8

For mga7 there is a need to apply the patch available here and adapt it:
https://github.com/ansible-collections/community.network/pull/223/files

ansible-2.9.22-1.mga8 uploaded to updates_testing by Bruno.

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: Fixed upstream in 2.9.20 => Fixed upstream in 2.8.20

(In reply to Bruno Cornec from comment #5)
> For mga7 there is a need to apply the patch available here and adapt it:
> https://github.com/ansible-collections/community.network/pull/223/files

Ping Bruno.

SUSE has issued an advisory for this on June 22:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009066.html

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Mageia 8 update is already in updates_testing, assigning to QA.

Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 2.8.20 => (none)
Assignee: bruno => qa-bugs

Fedora has issued an advisory on July 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WV7F6HL3DG7SHWHJMGWD3ZDJRAB65XNU/

The issue is fixed upstream in 2.9.23.

Mageia 8 is also affected.

Assignee: qa-bugs => bruno
Status comment: (none) => Fixed upstream in 2.9.23
Summary: ansible new security issue CVE-2021-3447 => ansible new security issues CVE-2021-3447 and CVE-2021-3583

RedHat has issued an advisory for the new CVE today (July 7):
https://access.redhat.com/errata/RHSA-2021:2664

fixed in mga8/9

src:
    - ansible-2.9.23-1.mga8

Assignee: bruno => qa-bugs
Status comment: Fixed upstream in 2.9.23 => (none)
CC: (none) => mageia

Advisory:
========================

Updated ansible package fixes security vulnerabilities:

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes,
as well as being made visible on the controller node when run in verbose mode.
These parameters were not protected by the no_log feature. An attacker can take
advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this
vulnerability is to data confidentiality. This flaw affects Red Hat Ansible
Automation Platform in versions before 1.2.2 and Ansible Tower in versions before
3.8.2 (CVE-2021-3447).

A flaw was found in Ansible, where a user's controller is vulnerable to template
injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information.
The highest threat from this vulnerability is to confidentiality and integrity
(CVE-2021-3583).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28832
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3447
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3583
 - https://access.redhat.com/errata/RHSA-2021:1342
 - https://access.redhat.com/errata/RHSA-2021:1343
 - https://access.redhat.com/errata/RHSA-2021:2664
 - https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#id62
 - https://github.com/ansible/ansible/blob/v2.9.20/changelogs/CHANGELOG-v2.9.rst#id72
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WV7F6HL3DG7SHWHJMGWD3ZDJRAB65XNU/
========================

Updated package in core/updates_testing:
========================
ansible-2.9.23-1.mga8

from SRPM:
ansible-2.9.23-1.mga8.src.rpm

CC: (none) => ouaurelien

Updated again to 2.9.24 bugfix version.  References for the advisory can be consolidated down to:
 - https://bugs.mageia.org/show_bug.cgi?id=28832
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3447
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3583
 - https://access.redhat.com/errata/RHSA-2021:1342
 - https://access.redhat.com/errata/RHSA-2021:2664
 - https://github.com/ansible/ansible/blob/v2.9.24/changelogs/CHANGELOG-v2.9.rst

ansible-2.9.24-1.mga8

from ansible-2.9.24-1.mga8.src.rpm

MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 28436 for tests, but run into problems.
Created ~/tmp/hosts file containing pattern like /etc/hosts (which I normally do not use as I run a DNS server on my desktop PC).
Along this line
<IP-address> <name> <FQDN>
Now at CLI:
$ ansible i ~/tmp/hosts all -m ping
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o]
               [-t TREE] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS]
               [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D] [-e EXTRA_VARS] [--vault-id VAULT_IDS]
               [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR] [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern
ansible: error: unrecognized arguments: /home/tester8/tmp/hosts all

And in the help I get a.o.
-i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
                        specify inventory host path or comma separated host list. --inventory-file is deprecated


I'm stuck here.

CC: (none) => herman.viaene

ansible -i rather

mga8, x64

Checked ansible before updating, using a two entry hosts file.
Updated  via qarepo/MageiaUpdate and tried again and saw a failure on the first address, just as before.

$ ansible -i tmp/hosts all -u lcl -m ping
<fileserver> | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: lcl@<fileserver>: Permission denied (publickey,password,keyboard-interactive).",
    "unreachable": true
}
[WARNING]: Platform linux on host <production> is using the discovered Python
interpreter at /usr/bin/python, but future installation of another Python
interpreter could change this. See https://docs.ansible.com/ansible/2.9/referen
ce_appendices/interpreter_discovery.html for more information.
<production> | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

No idea why this happens - ssh logins to the first address succeed without fuss.

So, as far as I can see ansible works about as well as it ever did.

CC: (none) => tarazed25

Never been happy with this application, suspecting that it is my primitive implementation of SSL security that causes problems when I try the simple test.
The update has been hanging about long enough so let's send it on.

Whiteboard: (none) => MGA8-64-OK

Validating. Advisory information on Comment 13 and Comment 14.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0420.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED