Fedora has issued an advisory on November 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/ The issues are fixed upstream in 2.2.0.0. Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
Severity: normal => major
From https://bugzilla.redhat.com/show_bug.cgi?id=1388113 version 1.9 is not affected by CVE-2016-8628
The other CVE is also valid for 1.9 per https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96 and https://github.com/ansible/ansible-modules-core/commit/746d51d1ff7a7bb3c2c71a2d8239cba93b6dea96 I'll look at applying these to our 1.9 version in order to avoid upgrading it to 2.2.0.0 and create migration issues.
removing cauldron, as we have version 2.2.0.0 in cauldron.
CC: (none) => mageiaVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
Seems I messed up the ref upper, and missed the second one which is: https://github.com/ansible/ansible-modules-core/commit/08017c2be0991877bd4bb6d14ba2ff9450f17184
Status: NEW => ASSIGNED
Uploaded a version to updates_testing Seems that only one patch was needed the other one was already part of the code.
Assignee: bruno => qa-bugsSource RPM: ansible-2.1.1.0-1.mga6.src.rpm => ansible-1.9.6-1.mga5.src.rpm
Please don't forget to post the advisory here Bruno (and if you also uploaded it to SVN yourself, mark that on the whiteboard): https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
For basic testing, this needs a couple of networked computers with ssh access using ssh key. The procedure below is taken from: https://bugs.mageia.org/show_bug.cgi?id=16309#c9 [thanks Philippe] https://bugs.mageia.org/show_bug.cgi?id=16309#c12 [thanks Shlomi] --- create a file, for example /tmp/hosts with the ip address if the distant box: $ cat /tmp/hosts 192.168.0.51 $ ansible -i /tmp/hosts all -m ping 192.168.0.51 | success >> { "changed": false, "ping": "pong" } Another example: $ cat /tmp/hosts 10.0.0.5 10.0.0.10 $ ansible -i /tmp/hosts all -m ping 10.0.0.5 | success >> { "changed": false, "ping": "pong" } 10.0.0.10 | success >> { "changed": false, "ping": "pong" } ---
CC: (none) => lewyssmithWhiteboard: (none) => has_procedure
MGA5-32 on AcerD620 Xfce No installation issues I fail to understand this.I generated on the test laptop [xxxx@yyyy .ssh]$ ssh-keygen -t rsa no passphrase used then [xxxx@yyyy .ssh]$ ssh-copy-id aaaa@bbbb Password: Now try logging into the machine, with "ssh 'aaaa@bbbb'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. note that the users xxxx and aaaa are not the same then [xxxx@yyyy .ssh]$ ssh 'aaaa@bbbb' Last login: Fri Jan 13 09:59:45 2017 [aaaa@bbbb ~]$ exit logout [3;J Connection to bbbb closed. [xxxx@yyyy .ssh]$ ansible -vvvv -i /tmp/hosts all -m ping <192.168.2.1> ESTABLISH CONNECTION FOR USER: xxxx <192.168.2.1> REMOTE_MODULE ping <192.168.2.1> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/tester5/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 192.168.2.1 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196 && echo $HOME/.ansible/tmp/ansible-tmp-1484317641.91-202769214120196' 192.168.2.1 | FAILED => SSH Error: Permission denied (publickey,password,keyboard-interactive). while connecting to 192.168.2.1:22 It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue. note that 192.168.2.1 is in the /tmp/hosts file
CC: (none) => herman.viaene
in your case you should then use : [xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping
CC: (none) => makowski.mageia
Tx Philippe, that did the trick, now I get [xxxx@yyyy .ssh]$ ansible -vvvv -u aaaa -i /tmp/hosts all -m ping bbbbb | success >> { "changed": false, "ping": "pong" }
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Please provide an advisory. TIA. And thanks Herman for your test.
Advisory: ======================== Updated ansible packages fix security vulnerability: It was found that apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key (CVE-2016-8614). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/
Advisory uploades, but it *lacks the SRPM*. Please can someone add that to it.
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Fedora has issued an advisory today (January 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/ Ansible 2.2.1 fixes at least two more security issues.
CC: (none) => qa-bugsVersion: 5 => CauldronAssignee: qa-bugs => brunoSummary: ansible new security issues CVE-2016-8614 and CVE-2016-8628 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5TOO
CVE-2016-8647: https://lwn.net/Vulnerabilities/712665/ CVE-2016-9587: https://lwn.net/Vulnerabilities/712658/
(In reply to David Walser from comment #15) > CVE-2016-8647: > https://lwn.net/Vulnerabilities/712665/ > > CVE-2016-9587: > https://lwn.net/Vulnerabilities/712658/ https://bugs.mageia.org/show_bug.cgi?id=20115
Fedora has issued an advisory today (April 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/ It fixes a new issue, CVE-2017-7466.
Summary: ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, and CVE-2016-9587 => ansible new security issues CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7466
Hello, Sorry for being late :-( I have now uploaded 2.3.0.0 to cauldron ans asked for a freeze push. That will fix these issues. Now what do you want we do for mga5 ? Should I backport it ? (I'm currently using 2.1.1.0 on mga5 without issues)
It's up to you. If updating it fixes all of the remaining issues and that's easier than backporting the remaining patches, that's fine. We've updated ansible in the past without issues.
Version: Cauldron => 5Whiteboard: has_procedure MGA5TOO => has_procedure
I've pushed ansible 2.3.0.0 for mga5 as well now.
If CVE-2016-9587 didn't affect Mageia 5, then CVE-2017-7466 wouldn't either (as it's for an incomplete fix for the former), so not listing it in the advisory. Keep in mind that the advisory in SVN needs to be updated accordingly. Bruno, if I recall correctly, we needed to update Cauldron from 2.3.0.0 to 2.3.1.0 to fix a regression. Shouldn't we do the same here? Advisory: ======================== Updated ansible packages fix security vulnerabilities: It was found that apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key (CVE-2016-8614). It is reported that in Ansible, under some circumstances the mysql_user module may fail to correctly change a password. Thus an old password may still be active when it should have been changed (CVE-2016-8647). The ansible package has been updated to version 2.3 to fix these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647 https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/ ======================== Updated packages in core/updates_testing: ======================== ansible-2.3.0.0-2.mga5 from ansible-2.3.0.0-2.mga5.src.rpm
It looks as if this update needs to be recycled for re-testing. It is not currently in madb/tools/updates. I will revise the Advisory.
Bruno hasn't assigned it back to QA yet. I'm waiting to see if we need to update it again.
Thanks for the clarification. I shall leave the defunct Advisory alone until then.
Updated to 2.3.1.0 as well in parity with cauldron now.
Target Milestone: --- => Mageia 5Assignee: bruno => qa-bugs
Thanks, and wouldn't you know that 2.3.1 has another security fix. Please do try to reset the release tag to 1 in the future when upgrading a package for stable. Advisory: ======================== Updated ansible packages fix security vulnerabilities: It was found that apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key (CVE-2016-8614). It is reported that in Ansible, under some circumstances the mysql_user module may fail to correctly change a password. Thus an old password may still be active when it should have been changed (CVE-2016-8647). Data for lookup plugins used as variables was not being correctly marked as "unsafe" (CVE-2017-7481). The ansible package has been updated to version 2.3.1 to fix these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481 https://github.com/ansible/ansible/blob/stable-2.3/CHANGELOG.md https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BTRG5RQTE7EPZLVJR7WCHPV2O3LCCEJ5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJGWOHRWU3FB2DF3V6NNS4GGBWKSOWYA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQMRFYTFTPAGI22UEXIEZH4U4BOTGVWH/ ======================== Updated packages in core/updates_testing: ======================== ansible-2.3.1.0-2.mga5 from ansible-2.3.1.0-2.mga5.src.rpm
CC: (none) => bruno
CC: qa-bugs => (none)
Advisory updated from Comment 26.
Whiteboard: has_procedure => has_procedure advisory
Testing on x86_64. I use non standard ports for ssh to avoid having script kiddies fill my logs. In my test, the word munged is replaced by the port number I use for that host. in the below example. $ echo '192.168.10.101:munged'>/tmp/hosts $ ansible -i /tmp/hosts all -m ping 192.168.10.101 | SUCCESS => { "changed": false, "ping": "pong" } Tested on i586 with same results. I did note that it has added requires ... # urpmi ansible To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") libdbusglib-gir1.0 1.42.0 3.mga5 i586 (medium "Core Updates (distrib3)") libnetworkmanager-gir1.0 1.0.12 1.1.mga5 i586 libnm-glib4 1.0.12 1.1.mga5 i586 libnm-util2 1.0.12 1.1.mga5 i586 libnm0 1.0.12 1.1.mga5 i586 libnmclient-gir1.0 1.0.12 1.1.mga5 i586 (medium "Core Updates Testing (distrib5)") ansible 2.3.1.0 2.mga5 noarch Same results in testing before and after installing the updated version.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0164.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED