Created attachment 208877 [details] Update sysutils/ansible to version 2.9.0 Ansible 2.9.0 was released recently. https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst I was able to build sysutils/ansible for 2.9.0 by simply changing the version and running `make makesum`. FWIW that diff is attached.
Created attachment 212681 [details] Update to 2.9.6 - Update version 2.8.7=>2.9.6 - Move 2.8.X branch to a new port sysutils/ansible8 and update to version 2.8.10 - Mark sysutils/ansible23 DEPRECATED as UPSTREAM support has ended - Mark sysutils/ansible24 DEPRECATED as UPSTREAM support has ended - Mark sysutils/ansible25 DEPRECATED as UPSTREAM support has ended - Mark sysutils/ansible26 DEPRECATED as UPSTREAM support has ended - Update sysutils/ansible27 to 2.7.16 as there are multiple vulnerabilities - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that. However, there is no user input validation done while performing actions. A malicious user could provide a crafted zone name which allows executing commands into the server manipulating the module behaviour. Adding user input validation as per Solaris Zone documentation fixes this issue. - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which is used for destination name and performs actions related to that on the device using the value of remote_file which is of string type However, there is no user input validation done while performing actions. A malicious code could crafts the filename parameter to take advantage by performing an OS command injection. This fix validates the option value if it is legitimate file path or not.
- Additionally fixes some issues from bug # 233970
The Ansible ports has been out of date for a while and there is a maintainer-timeout from lifanov@. I have created this patch which handles multiple issues related to all ansible* ports. The builds are so far alright. http://pdr.bofh.network/data/latest-per-pkg/py37-ansible/2.9.6/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible28/2.8.10/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible27/2.7.16/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible26/2.6.20_1/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible25/2.5.15_3/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible24/2.4.6.0_4/ http://pdr.bofh.network/data/latest-per-pkg/py37-ansible23/2.3.3.0_5/
Note: timeouts only apply from the date of the last proposed patch, not any possible patch. If there are mostly bugfixes and/or security updates associated with the version ranges between the current port version and 2.9.6, please set keyword: security, cc ports-secteam and set merge-quarterly ?
Version 2.8.7 is Vulnerable to CVE-2019-14904 - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that. However, there is no user input validation done while performing actions. A malicious user could provide a crafted zone name which allows executing commands into the server manipulating the module behaviour. Adding user input validation as per Solaris Zone documentation fixes this issue. - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which is used for destination name and performs actions related to that on the device using the value of remote_file which is of string type However, there is no user input validation done while performing actions. A malicious code could crafts the filename parameter to take advantage by performing an OS command injection. This fix validates the option value if it is legitimate file path or not.
Comment on attachment 212681 [details] Update to 2.9.6 Approved by: portmgr (maintainer timeout, > 14 days)
@Muhammad Can you add comment blocks to each patches describing what they're for and include upstream references/links to issues, pr's, commits where appropriate Also: - Comment ${RM} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/ansible_test/_data/injector/ansible-inventory line - Try to only add USES=shebangfix to the port that needs it, rather than adding in the master, and resetting USES for each slave - The expiration date (EXPIRATION_DATE=2020-04-24) added for older ansible versions is too close. Give users at least a month to see the message before they are potentially deleted. - Add actions the user should take to the DEPRECATED reason (Like use sysutils/ansibleXY or higher) - Needs a VuXML entry for affected ansible port/package versions and clarity on how the full changeset will be committed (if multiple commits are necessary), in order to ensure all vulnerable quarterly versions have updates merged to them
A commit references this bug: Author: bofh Date: Fri Apr 17 22:31:58 UTC 2020 New revision: 531978 URL: https://svnweb.freebsd.org/changeset/ports/531978 Log: sysutils/ansible: Multiple Vulnerabilities fix - Update ansible 2.8.7=>2.8.11 - Update ansible27 2.7.15=>2.7.17 - For ansible27 add fixes [1] - Rudimentary detection of the virtual platforms - playbook hangs without ASSUME_ALWAYS_YES for pkgng - Fix zpool snapshot cloning - Fix `doas` password authentication - Mark ansible26, ansible25, ansible24 and ansible23 DEPRECATED without EXPIRATION_DATE for MFH PR: 241734 233970 [1] Submitted by: timur [1] Reported by: ncrogers@gmail.com Approved by: portmgr (maintainer timeout, > 14 days) MFH: 2020Q2 (bugfix release) Security: CVE-2020-1737 Security: CVE-2020-1739 Security: CVE-2020-1740 Changes: head/sysutils/ansible/Makefile head/sysutils/ansible/distinfo head/sysutils/ansible/files/extra-patch-27 head/sysutils/ansible23/Makefile head/sysutils/ansible24/Makefile head/sysutils/ansible25/Makefile head/sysutils/ansible26/Makefile head/sysutils/ansible27/Makefile head/sysutils/ansible27/distinfo
(In reply to Kubilay Kocak from comment #7) Stage 1 and Stage 2 completed. Awaiting for MFH. Will continue on Stage 3.
^Triage: VuXML entry added (issue ID not references) in ports r531977
A commit references this bug: Author: bofh Date: Sat Apr 18 11:48:34 UTC 2020 New revision: 532025 URL: https://svnweb.freebsd.org/changeset/ports/532025 Log: MFH: r531978 sysutils/ansible: Multiple Vulnerabilities fix - Update ansible 2.8.7=>2.8.11 - Update ansible27 2.7.15=>2.7.17 - For ansible27 add fixes [1] - Rudimentary detection of the virtual platforms - playbook hangs without ASSUME_ALWAYS_YES for pkgng - Fix zpool snapshot cloning - Fix `doas` password authentication - Mark ansible26, ansible25, ansible24 and ansible23 DEPRECATED without EXPIRATION_DATE for MFH PR: 241734 233970 [1] Submitted by: timur [1] Reported by: ncrogers@gmail.com Approved by: portmgr (maintainer timeout, > 14 days) Security: https://www.vuxml.org/freebsd/0899c0d3-80f2-11ea-bafd-815569f3852d.html Security: https://www.vuxml.org/freebsd/67dbeeb6-80f4-11ea-bafd-815569f3852d.html Security: https://www.vuxml.org/freebsd/ae2e7871-80f6-11ea-bafd-815569f3852d.html Approved by: ports-secteam (blanket bug fix release) Changes: _U branches/2020Q2/ branches/2020Q2/sysutils/ansible/Makefile branches/2020Q2/sysutils/ansible/distinfo branches/2020Q2/sysutils/ansible/files/extra-patch-27 branches/2020Q2/sysutils/ansible23/Makefile branches/2020Q2/sysutils/ansible24/Makefile branches/2020Q2/sysutils/ansible25/Makefile branches/2020Q2/sysutils/ansible26/Makefile branches/2020Q2/sysutils/ansible27/Makefile branches/2020Q2/sysutils/ansible27/distinfo
A commit references this bug: Author: bofh Date: Tue Apr 28 20:46:10 UTC 2020 New revision: 533266 URL: https://svnweb.freebsd.org/changeset/ports/533266 Log: sysutils/ansible: Update version 2.8.11=>2.9.7 - Create sysutils/ansible28 from sysutils/ansible - Set EXPIRATION_DATE to 20200530 for ansible23 ansible24 ansible25 and ansible26 as they are no longer maintained by upstream - Bump ansible23 ansible24 ansible25 ansible26 and ansible27 for CONFLICTS with ansible28 PR: 241734 Submitted by: ncrogers@gmail.com Approved by: portmgr (maintainer-timeout) Changes: head/UPDATING head/sysutils/Makefile head/sysutils/ansible/Makefile head/sysutils/ansible/distinfo head/sysutils/ansible23/Makefile head/sysutils/ansible24/Makefile head/sysutils/ansible25/Makefile head/sysutils/ansible26/Makefile head/sysutils/ansible27/Makefile head/sysutils/ansible28/ head/sysutils/ansible28/Makefile head/sysutils/ansible28/distinfo head/sysutils/ansible28/files/ head/sysutils/ansible28/pkg-descr