Ubuntu has issued an advisory on July 24: https://usn.ubuntu.com/4072-1/ The issue is fixed upstream in 2.6.18, 2.7.12 and 2.8.2. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOOStatus comment: (none) => Fixed upstream in 2.6.18, 2.7.12 and 2.8.2
2.8.2 pushed to cauldron.
Status: NEW => ASSIGNEDCC: (none) => bruno
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOVersion: Cauldron => 7
2.7.12 pushed to update_testing of mga7 mga6 has 2.4 so I suggest we update to 2.7.12 as well (I was using 2.7.10 myself before that update without issue on mga6).
Sounds good. We've updated in the past without issues.
2.7.12 pushed to update_testing of mga6 as well. Moved to QA.
Assignee: bruno.cornec => qa-bugsWhiteboard: MGA6TOO => (none)
Whiteboard: (none) => MGA6TOO
Advisory: ======================== Updated ansible package fixes security vulnerability: A flaw was discovered in the way Ansible templating was implemented before version 2.7.12, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed (CVE-2019-10156). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156 https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst https://usn.ubuntu.com/4072-1/ ======================== Updated packages in core/updates_testing: ======================== ansible-2.7.12-1.mga6 ansible-2.7.12-1.mga7 from SRPMS: ansible-2.7.12-1.mga6.src.rpm ansible-2.7.12-1.mga7.src.rpm
mga6, x86_64 Update failed because of missing package. # urpmi ansible A requested package cannot be installed: ansible-2.7.12-1.mga6.noarch (due to unsatisfied python3-jmespath) # urpmi python3-jmespath No package named python3-jmespath
CC: (none) => tarazed25
mga7, x86_64 The update installed cleanly. ~/tmp/hosts contains: 192.168.1.aaa 192.168.1.bbb where aaa is a remote PC and bbb is the current machine. $ ansible -i ~/tmp/hosts all -m ping 192.168.1.bbb | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: lcl@192.168.1.62: Permission denied (publickey,password,keyboard-interactive).", "unreachable": true } 192.168.1.aaa | SUCCESS => { "changed": false, "ping": "pong" } Yet on bbb; $ ssh lcl@canopus Password: Last login: Fri Aug 16 19:19:24 2019 from 192.168.1.aaa $ ansible all -a "/bin/echo hello" [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' I am assuming that this is a PEBCAK problem. No idea how to proceed. These tests used to succeed.
Of course, /etc/ansible/hosts needs to be set up first. $ ansible all -a "/bin/echo hello" 192.168.1.bbb | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).", "unreachable": true } 192.168.1.aaa | CHANGED | rc=0 >> hello $ ansible all -u lcl -a "/home/lcl/bin/calco" 192.168.1.bbb | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).", "unreachable": true } 192.168.1.aaa | FAILED | rc=-6 >> /usr/share/ruby/tk.rb:31:in `initialize': tcltklib: fail to Tk_Init(). no display name and no $DISPLAY environment variable (RuntimeError) from /usr/share/ruby/tk.rb:31:in `initialize' from /usr/share/ruby/tk.rb:1245:in `new' from /usr/share/ruby/tk.rb:1245:in `block in <module:TkCore>' Tcl_AsyncDelete: async handler deleted by the wrong threadnon-zero return code I thought the '-u lcl' would have taken care of setting up the shell environment, but apparently not. Something more straightforward works: $ ansible all -u lcl -a "/home/lcl/bin/dayofweek 2019-08-16" 192.168.1.bbb | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: lcl@192.168.1.bbb: Permission denied (publickey,password,keyboard-interactive).", "unreachable": true } 192.168.1.aaa | CHANGED | rc=0 >> 2019-08-16 is a Friday At this simple level I would say this works. Any problems seem to be associated with the way access keys have been defined by the user. known_hosts always needs fixing after every new installation.
Keywords: (none) => feedback
Bruno, please fix Comment 6.
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
python-jmespath has been also pushed to updates_testing for mga6 Hope this will fix the install issue for good.
mga7, x86_64 Thanks Bruno. ansible now updates cleanly and runs fine. Omitted localhost from /tmp/hosts and ran the primitive tests as in comment 8. They worked as expected, e.g. $ ansible all -u lcl -a "/home/lcl/bin/dayofweek 2019-08-24" 192.168.1.aaa | CHANGED | rc=0 >> 2019-08-24 is a Saturday That will have to do for 64-bits.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OKKeywords: feedback => (none)
Thanks Bruno. This python-jmespath doesn't quite look right though. The build produced three packages: python-jmespath-0.9.4-1.1.mga6 python2-jmespath-0.9.4-1.1.mga6 python3-jmespath-0.9.4-1.1.mga6 the second one shouldn't be there.
I asked myself the question, but that was the way it was made for cauldron, so didn't thought I should change it. Of course I can if you say it's ok ;-) So I submitted a new version.
Thanks, that's better. That package list would have been incorrect for Cauldron too (in that case the python2 and python3 ones should be there and the python- one shouldn't). Advisory: ======================== Updated ansible package fixes security vulnerability: A flaw was discovered in the way Ansible templating was implemented before version 2.7.12, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed (CVE-2019-10156). Also, python-jmespath was added as a new dependency in Mageia 6. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156 https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst https://usn.ubuntu.com/4072-1/ ======================== Updated packages in core/updates_testing: ======================== python-jmespath-0.9.4-1.2.mga6 python3-jmespath-0.9.4-1.2.mga6 ansible-2.7.12-1.mga6 ansible-2.7.12-1.mga7 from SRPMS: python-jmespath-0.9.4-1.2.mga6.src.rpm ansible-2.7.12-1.mga6.src.rpm ansible-2.7.12-1.mga7.src.rpm
mga6, x86_64 Ran the update again against ansible-2.4.6. python3-jmespath was picked up as a dependency of ansible-2.7.12 but python-jmespath was not. It needed to be installed separately.
Yes, they shouldn't both be a dependency.
ansible is functioning OK for simple tests. letting the 64bit OK stand.
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0234.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED