Bug 13649 - ansible new security issues fixed upstream in 1.6.7
Summary: ansible new security issues fixed upstream in 1.6.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: Mageia 4
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/605177/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-07-02 17:22 CEST by David Walser
Modified: 2014-08-25 20:07 CEST (History)
4 users (show)

See Also:
Source RPM: ansible-1.5.5-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-07-02 17:22:27 CEST
Upstream has released new versions on June 25 and July 1:
https://github.com/ansible/ansible/blob/release1.6.6/CHANGELOG.md

These versions (1.6.4, 1.6.5, 1.6.6) contain fixes for security issues.

CVE-2014-4678 has been assigned for the issue fixed in 1.6.4, and additional CVEs are pending for the other two updates:
http://openwall.com/lists/oss-security/2014/07/02/2

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-02 17:22:34 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-07-12 02:26:44 CEST
Fedora has issued an advisory for this on July 3:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html

URL: (none) => http://lwn.net/Vulnerabilities/605177/

Comment 2 David Walser 2014-07-22 15:27:03 CEST
More CVEs have been assigned for issues fixed in 1.6.7 (CVE-2014-496[67]):
http://openwall.com/lists/oss-security/2014/07/22/1
https://github.com/ansible/ansible/blob/release1.6.7/CHANGELOG.md

Summary: ansible new security issues fixed upstream in 1.6.6 => ansible new security issues fixed upstream in 1.6.7

Comment 3 David Walser 2014-07-24 00:52:35 CEST
Ansible 1.6.8 is out and fixes regressions:
https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md

Maybe we should just update everything to 1.6.8?
Comment 4 Bruno Cornec 2014-07-24 03:39:55 CEST
Done for cauldron and mga4 (not found for mga3). Adv prepared.

Status: NEW => ASSIGNED
Assignee: bruno => security
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 5 David Walser 2014-07-24 03:46:27 CEST
(In reply to Bruno Cornec from comment #4)
> Done for cauldron and mga4 (not found for mga3).

Oops, yes, no mga3 :o)  Thanks!

You may have noticed it didn't build, however :o(

(In reply to Bruno Cornec from comment #4)
> Adv prepared.

Where?

Assignee: security => bruno

Comment 6 David Walser 2014-07-24 03:47:11 CEST
(In reply to David Walser from comment #5)
> (In reply to Bruno Cornec from comment #4)
> > Done for cauldron and mga4 (not found for mga3).
> 
> Oops, yes, no mga3 :o)  Thanks!
> 
> You may have noticed it didn't build, however :o(

Also, the subrel should be removed in the Mageia 4 update.
Comment 7 Bruno Cornec 2014-07-24 11:40:12 CEST
It's now built and uploaded in the repos correctly (was a missing BuildRequire)

Adv is in SVN as per instuctions (simple one)
subrel was removed (Is it just necessary when the version remains the same ?)

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2014-07-24 14:17:50 CEST
Yes, the subrel is only needed when the version doesn't change.  The release tag should go back to 1 when the version is updated.

This can't be marked as fixed until the Mageia 4 update is tested and released.

QA: the Mageia 4 update is ansible-1.6.8-2.mga4 from ansible-1.6.8-2.mga4.src.rpm

Status: RESOLVED => REOPENED
CC: (none) => bruno
Version: Cauldron => 4
Resolution: FIXED => (none)
Assignee: bruno => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 9 David Walser 2014-07-24 14:29:06 CEST
Advisory:
========================

Updated ansible package fixes security vulnerabilities:

The Ansible platform before version 1.6.7 suffers from input sanitization
errors that allow arbitrary code execution as well as information leak, in
case an attacker is able to control certain playbook variables
(CVE-2014-4678, CVE-2014-4966, CVE-2014-4967).

The ansible package has been updated to version 1.6.8, which fixes these
issues and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967
http://openwall.com/lists/oss-security/2014/07/02/2
http://www.ocert.org/advisories/ocert-2014-004.html
https://github.com/ansible/ansible/blob/release1.6.8/CHANGELOG.md
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html
========================

Updated packages in core/updates_testing:
========================
ansible-1.6.8-2.mga4

from ansible-1.6.8-2.mga4.src.rpm
Comment 10 David Walser 2014-07-24 17:47:56 CEST
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13278#c4

Whiteboard: (none) => has_procedure

Comment 11 David Walser 2014-07-31 23:52:51 CEST
Bruno, could we get this updated to 1.6.10?  1.6.9 fixes regressions related to the security fixes.

https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md
Comment 12 claire robinson 2014-08-04 18:45:14 CEST
Adding feedback marker and awaiting new version.

Whiteboard: has_procedure => has_procedure feedback

Comment 13 David Walser 2014-08-08 16:24:08 CEST
Fedora has issued an advisory for CVE-2014-496[67] on July 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html

from http://lwn.net/Vulnerabilities/608197/

They updated to 1.6.10.

CC: (none) => qa-bugs
Assignee: qa-bugs => bruno
Whiteboard: has_procedure feedback => has_procedure

Comment 14 Bruno Cornec 2014-08-10 08:56:58 CEST
Pushed 1.6.10 in cauldron and 4 as core/updates_testing

Target Milestone: --- => Mageia 4

Comment 15 David Walser 2014-08-10 13:47:48 CEST
Thanks Bruno!

Advisory:
========================

Updated ansible package fixes security vulnerabilities:

The Ansible platform before version 1.6.7 suffers from input sanitization
errors that allow arbitrary code execution as well as information leak, in
case an attacker is able to control certain playbook variables
(CVE-2014-4678, CVE-2014-4966, CVE-2014-4967).

The ansible package has been updated to version 1.6.8, which fixes these
issues and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4967
http://openwall.com/lists/oss-security/2014/07/02/2
http://www.ocert.org/advisories/ocert-2014-004.html
https://github.com/ansible/ansible/blob/release1.6.10/CHANGELOG.md
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135284.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136395.html
========================

Updated packages in core/updates_testing:
========================
ansible-1.6.10-1.mga4

from ansible-1.6.10-1.mga4.src.rpm

CC: qa-bugs => (none)
Assignee: bruno => qa-bugs

Comment 16 William Kenney 2014-08-14 18:21:47 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
ansible

default install of ansible

[root@localhost ~]# urpmi ansible
Package ansible-1.4.3-1.1.mga4.noarch is already installed

I created two Vbox clients ansible source & ansible target
The IP of the target is 192.168.1.125
I then installed ansible in the source and that created /etc/ansible/hosts which
simply contained 192.168.1.125. I then executed:
[root@localhost ~]# ansible -i /etc/ansible all -m ping
ERROR: Invalid ini entry: /etc/ansible/hosts - need more than 1 value to unpack
And ansible errored out. So the test proceedure in:
https://bugs.mageia.org/show_bug.cgi?id=13278#c4
failed for me. Is there a better one? Or am I doing somthing wrong.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 17 David Walser 2014-08-14 21:22:05 CEST
Philippe, any idea about William's test in Comment 16?

CC: (none) => makowski.mageia

Comment 18 claire robinson 2014-08-21 18:19:58 CEST
Did you set bridged networking for the vbox clients Bill? 
It will not be accessible remotely otherwise, could be the cause of the error.
Comment 19 William Kenney 2014-08-21 18:33:01 CEST
Good question. I have four Vbox clients that I use as standards.
Those clients are M3 32 & 64bit, M4 32 & 64bit. I keep all those
clients, and the host, updated daily. Yes those four clients
are connected to the LAN using the bridged mode so the LAN
router is assigning a DHCP address. I do not change the
Vbox assigned MAC addresses when I clone them for test.
The only time I may use a NAT connection is with preliminary
testing of a Live-CD/DVD. As I test an update, say for ansible,
I clone the appropriate saved standard client calling it another
name and test that not the saved standard clients. This
testing process has been pretty successfully over the
last couple Vbox releases.
Comment 20 claire robinson 2014-08-22 15:09:51 CEST
Testing complete mga4 64

Created /tmp/hosts with just the ip of the remote computer in it.
If not already set up on that host for passwordless ssh then do that first.

ie.
Local = 192.168.1.20
remote = 192.168.1.25

/tmp/hosts contains 192.168.2.25

Enable passwordless ssh login
$ ssh-copy-id 192.168.1.25

you should then be able to log in with ssh without a password. Log back out if all is ok.

Then, back on local..

$ ansible -i /tmp/hosts all -m ping
192.168.1.25 | success >> {
    "changed": false, 
    "ping": "pong"
}

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 21 claire robinson 2014-08-22 15:13:25 CEST
/tmp/hosts contains 192.168.1.25 not 2.25 :\
Comment 22 claire robinson 2014-08-22 15:21:22 CEST
Testing complete mga4 32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 23 claire robinson 2014-08-22 15:35:09 CEST
Validating. Advisory updated.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 24 Mageia Robot 2014-08-25 10:44:46 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0350.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 25 David Walser 2014-08-25 20:07:33 CEST
LWN reference for CVE-2014-4678:
http://lwn.net/Vulnerabilities/609508/

Note You need to log in before you can comment on or make changes to this bug.