Bug 241734

Summary: sysutils/ansible: Update to 2.9.6
Product: Ports & Packages Reporter: ncrogers
Component: Individual Port(s)Assignee: Muhammad Moinur Rahman <bofh>
Status: Open ---    
Severity: Affects Many People CC: bofh, david, ports-secteam, python
Priority: --- Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (lifanov)
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233970
Bug Depends on:    
Bug Blocks: 233970    
Attachments:
Description Flags
Update sysutils/ansible to version 2.9.0
none
Update to 2.9.6 none

Description ncrogers 2019-11-05 12:36:46 UTC
Created attachment 208877 [details]
Update sysutils/ansible to version 2.9.0

Ansible 2.9.0 was released recently.

https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst

I was able to build sysutils/ansible for 2.9.0 by simply changing the version and running `make makesum`. FWIW that diff is attached.
Comment 1 Muhammad Moinur Rahman freebsd_committer 2020-03-24 20:40:16 UTC
Created attachment 212681 [details]
Update to 2.9.6

- Update version 2.8.7=>2.9.6
- Move 2.8.X branch to a new port sysutils/ansible8 and update to version 2.8.10
- Mark sysutils/ansible23 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible24 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible25 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible26 DEPRECATED as UPSTREAM support has ended
- Update sysutils/ansible27 to 2.7.16 as there are multiple vulnerabilities
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.
Comment 2 Muhammad Moinur Rahman freebsd_committer 2020-03-24 20:41:16 UTC
- Additionally fixes some issues from bug # 233970
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-25 02:21:18 UTC
Note: timeouts only apply from the date of the last proposed patch, not any possible patch.

If there are mostly bugfixes and/or security updates associated with the version ranges between the current port version and 2.9.6, please set keyword: security, cc ports-secteam and set merge-quarterly ?
Comment 5 Muhammad Moinur Rahman freebsd_committer 2020-03-26 10:37:17 UTC
Version 2.8.7 is Vulnerable to CVE-2019-14904
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.