Upstream has released new versions on June 25 and July 1: https://github.com/ansible/ansible/blob/release1.6.6/CHANGELOG.md These versions (1.6.4, 1.6.5, 1.6.6) contain fixes for security issues. CVE-2014-4678 has been assigned for the issue fixed in 1.6.4, and additional CVEs are pending for the other two updates: http://openwall.com/lists/oss-security/2014/07/02/2 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fedora has issued an advisory for this on July 3: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html
URL: (none) => http://lwn.net/Vulnerabilities/605177/
More CVEs have been assigned for issues fixed in 1.6.7 (CVE-2014-496[67]): http://openwall.com/lists/oss-security/2014/07/22/1 https://github.com/ansible/ansible/blob/release1.6.7/CHANGELOG.md
Summary: ansible new security issues fixed upstream in 1.6.6 => ansible new security issues fixed upstream in 1.6.7
Ansible 1.6.8 is out and fixes regressions: https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md Maybe we should just update everything to 1.6.8?
Done for cauldron and mga4 (not found for mga3). Adv prepared.
Status: NEW => ASSIGNEDAssignee: bruno => securityWhiteboard: MGA4TOO, MGA3TOO => MGA4TOO
(In reply to Bruno Cornec from comment #4) > Done for cauldron and mga4 (not found for mga3). Oops, yes, no mga3 :o) Thanks! You may have noticed it didn't build, however :o( (In reply to Bruno Cornec from comment #4) > Adv prepared. Where?
Assignee: security => bruno
(In reply to David Walser from comment #5) > (In reply to Bruno Cornec from comment #4) > > Done for cauldron and mga4 (not found for mga3). > > Oops, yes, no mga3 :o) Thanks! > > You may have noticed it didn't build, however :o( Also, the subrel should be removed in the Mageia 4 update.
It's now built and uploaded in the repos correctly (was a missing BuildRequire) Adv is in SVN as per instuctions (simple one) subrel was removed (Is it just necessary when the version remains the same ?)
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Yes, the subrel is only needed when the version doesn't change. The release tag should go back to 1 when the version is updated. This can't be marked as fixed until the Mageia 4 update is tested and released. QA: the Mageia 4 update is ansible-1.6.8-2.mga4 from ansible-1.6.8-2.mga4.src.rpm
Status: RESOLVED => REOPENEDCC: (none) => brunoVersion: Cauldron => 4Resolution: FIXED => (none)Assignee: bruno => qa-bugsWhiteboard: MGA4TOO => (none)
Advisory: ======================== Updated ansible package fixes security vulnerabilities: The Ansible platform before version 1.6.7 suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables (CVE-2014-4678, CVE-2014-4966, CVE-2014-4967). The ansible package has been updated to version 1.6.8, which fixes these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967 http://openwall.com/lists/oss-security/2014/07/02/2 http://www.ocert.org/advisories/ocert-2014-004.html https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.6.8-2.mga4 from ansible-1.6.8-2.mga4.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13278#c4
Whiteboard: (none) => has_procedure
Bruno, could we get this updated to 1.6.10? 1.6.9 fixes regressions related to the security fixes. https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md
Adding feedback marker and awaiting new version.
Whiteboard: has_procedure => has_procedure feedback
Fedora has issued an advisory for CVE-2014-496[67] on July 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html from http://lwn.net/Vulnerabilities/608197/ They updated to 1.6.10.
CC: (none) => qa-bugsAssignee: qa-bugs => brunoWhiteboard: has_procedure feedback => has_procedure
Pushed 1.6.10 in cauldron and 4 as core/updates_testing
Target Milestone: --- => Mageia 4
Thanks Bruno! Advisory: ======================== Updated ansible package fixes security vulnerabilities: The Ansible platform before version 1.6.7 suffers from input sanitization errors that allow arbitrary code execution as well as information leak, in case an attacker is able to control certain playbook variables (CVE-2014-4678, CVE-2014-4966, CVE-2014-4967). The ansible package has been updated to version 1.6.8, which fixes these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967 http://openwall.com/lists/oss-security/2014/07/02/2 http://www.ocert.org/advisories/ocert-2014-004.html https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html ======================== Updated packages in core/updates_testing: ======================== ansible-1.6.10-1.mga4 from ansible-1.6.10-1.mga4.src.rpm
CC: qa-bugs => (none)Assignee: bruno => qa-bugs
In VirtualBox, M4, KDE, 32-bit Package(s) under test: ansible default install of ansible [root@localhost ~]# urpmi ansible Package ansible-1.4.3-1.1.mga4.noarch is already installed I created two Vbox clients ansible source & ansible target The IP of the target is 192.168.1.125 I then installed ansible in the source and that created /etc/ansible/hosts which simply contained 192.168.1.125. I then executed: [root@localhost ~]# ansible -i /etc/ansible all -m ping ERROR: Invalid ini entry: /etc/ansible/hosts - need more than 1 value to unpack And ansible errored out. So the test proceedure in: https://bugs.mageia.org/show_bug.cgi?id=13278#c4 failed for me. Is there a better one? Or am I doing somthing wrong. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Philippe, any idea about William's test in Comment 16?
CC: (none) => makowski.mageia
Did you set bridged networking for the vbox clients Bill? It will not be accessible remotely otherwise, could be the cause of the error.
Good question. I have four Vbox clients that I use as standards. Those clients are M3 32 & 64bit, M4 32 & 64bit. I keep all those clients, and the host, updated daily. Yes those four clients are connected to the LAN using the bridged mode so the LAN router is assigning a DHCP address. I do not change the Vbox assigned MAC addresses when I clone them for test. The only time I may use a NAT connection is with preliminary testing of a Live-CD/DVD. As I test an update, say for ansible, I clone the appropriate saved standard client calling it another name and test that not the saved standard clients. This testing process has been pretty successfully over the last couple Vbox releases.
Testing complete mga4 64 Created /tmp/hosts with just the ip of the remote computer in it. If not already set up on that host for passwordless ssh then do that first. ie. Local = 192.168.1.20 remote = 192.168.1.25 /tmp/hosts contains 192.168.2.25 Enable passwordless ssh login $ ssh-copy-id 192.168.1.25 you should then be able to log in with ssh without a password. Log back out if all is ok. Then, back on local.. $ ansible -i /tmp/hosts all -m ping 192.168.1.25 | success >> { "changed": false, "ping": "pong" }
Whiteboard: has_procedure => has_procedure mga4-64-ok
/tmp/hosts contains 192.168.1.25 not 2.25 :\
Testing complete mga4 32
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory updated. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0350.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-4678: http://lwn.net/Vulnerabilities/609508/