Bug 241734

Summary: sysutils/ansible: Update to 2.9.6
Product: Ports & Packages Reporter: ncrogers
Component: Individual Port(s)Assignee: Muhammad Moinur Rahman <bofh>
Status: Closed FIXED    
Severity: Affects Many People CC: bofh, david, ports-secteam, python
Priority: Normal Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (lifanov)
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233970
Bug Depends on:    
Bug Blocks: 233970    
Attachments:
Description Flags
Update sysutils/ansible to version 2.9.0
none
Update to 2.9.6 koobs: maintainer-approval+

Description ncrogers 2019-11-05 12:36:46 UTC 
Created attachment 208877 [details]
Update sysutils/ansible to version 2.9.0

Ansible 2.9.0 was released recently.

https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst

I was able to build sysutils/ansible for 2.9.0 by simply changing the version and running `make makesum`. FWIW that diff is attached.
Comment 1 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2020-03-24 20:40:16 UTC 
Created attachment 212681 [details]
Update to 2.9.6

- Update version 2.8.7=>2.9.6
- Move 2.8.X branch to a new port sysutils/ansible8 and update to version 2.8.10
- Mark sysutils/ansible23 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible24 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible25 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible26 DEPRECATED as UPSTREAM support has ended
- Update sysutils/ansible27 to 2.7.16 as there are multiple vulnerabilities
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.
Comment 2 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2020-03-24 20:41:16 UTC 
- Additionally fixes some issues from bug # 233970
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-25 02:21:18 UTC 
Note: timeouts only apply from the date of the last proposed patch, not any possible patch.

If there are mostly bugfixes and/or security updates associated with the version ranges between the current port version and 2.9.6, please set keyword: security, cc ports-secteam and set merge-quarterly ?
Comment 5 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2020-03-26 10:37:17 UTC 
Version 2.8.7 is Vulnerable to CVE-2019-14904
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-17 10:26:50 UTC 
Comment on attachment 212681 [details]
Update to 2.9.6

Approved by: portmgr (maintainer timeout, > 14 days)
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-17 10:32:06 UTC 
@Muhammad Can you add comment blocks to each patches describing what they're for and include upstream references/links to issues, pr's, commits where appropriate

Also: 

- Comment ${RM} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/ansible_test/_data/injector/ansible-inventory line

- Try to only add USES=shebangfix to the port that needs it, rather than adding in the master, and resetting USES for each slave

- The expiration date (EXPIRATION_DATE=2020-04-24) added for older ansible versions is too close. Give users at least a month to see the message before they are potentially deleted.

- Add actions the user should take to the DEPRECATED reason (Like use sysutils/ansibleXY or higher)

- Needs a VuXML entry for affected ansible port/package versions and clarity on how the full changeset will be committed (if multiple commits are necessary), in order to ensure all vulnerable quarterly versions have updates merged to them
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-04-17 22:32:12 UTC 
A commit references this bug:

Author: bofh
Date: Fri Apr 17 22:31:58 UTC 2020
New revision: 531978
URL: https://svnweb.freebsd.org/changeset/ports/531978

Log:
  sysutils/ansible: Multiple Vulnerabilities fix

  - Update ansible 2.8.7=>2.8.11
  - Update ansible27 2.7.15=>2.7.17
  - For ansible27 add fixes [1]
    - Rudimentary detection of the virtual platforms
    - playbook hangs without ASSUME_ALWAYS_YES for pkgng
    - Fix zpool snapshot cloning
    - Fix `doas` password authentication
    - Mark ansible26, ansible25, ansible24 and ansible23 DEPRECATED without
      EXPIRATION_DATE for MFH

  PR:             241734 233970 [1]
  Submitted by:   timur [1]
  Reported by:    ncrogers@gmail.com
  Approved by:    portmgr (maintainer timeout, > 14 days)
  MFH:            2020Q2 (bugfix release)
  Security:       CVE-2020-1737
  Security:       CVE-2020-1739
  Security:       CVE-2020-1740

Changes:
  head/sysutils/ansible/Makefile
  head/sysutils/ansible/distinfo
  head/sysutils/ansible/files/extra-patch-27
  head/sysutils/ansible23/Makefile
  head/sysutils/ansible24/Makefile
  head/sysutils/ansible25/Makefile
  head/sysutils/ansible26/Makefile
  head/sysutils/ansible27/Makefile
  head/sysutils/ansible27/distinfo
Comment 9 Muhammad Moinur Rahman freebsd_committer freebsd_triage 2020-04-17 22:41:35 UTC 
(In reply to Kubilay Kocak from comment #7)
Stage 1 and Stage 2 completed. Awaiting for MFH. Will continue on Stage 3.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2020-04-18 02:30:27 UTC 
^Triage: VuXML entry added (issue ID not references) in ports r531977
Comment 11 commit-hook freebsd_committer freebsd_triage 2020-04-18 11:49:16 UTC 
A commit references this bug:

Author: bofh
Date: Sat Apr 18 11:48:34 UTC 2020
New revision: 532025
URL: https://svnweb.freebsd.org/changeset/ports/532025

Log:
  MFH: r531978

  sysutils/ansible: Multiple Vulnerabilities fix

  - Update ansible 2.8.7=>2.8.11
  - Update ansible27 2.7.15=>2.7.17
  - For ansible27 add fixes [1]
    - Rudimentary detection of the virtual platforms
    - playbook hangs without ASSUME_ALWAYS_YES for pkgng
    - Fix zpool snapshot cloning
    - Fix `doas` password authentication
    - Mark ansible26, ansible25, ansible24 and ansible23 DEPRECATED without
      EXPIRATION_DATE for MFH

  PR:             241734 233970 [1]
  Submitted by:   timur [1]
  Reported by:    ncrogers@gmail.com
  Approved by:    portmgr (maintainer timeout, > 14 days)
  Security:       https://www.vuxml.org/freebsd/0899c0d3-80f2-11ea-bafd-815569f3852d.html
  Security:       https://www.vuxml.org/freebsd/67dbeeb6-80f4-11ea-bafd-815569f3852d.html
  Security:       https://www.vuxml.org/freebsd/ae2e7871-80f6-11ea-bafd-815569f3852d.html

  Approved by:	ports-secteam (blanket bug fix release)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/sysutils/ansible/Makefile
  branches/2020Q2/sysutils/ansible/distinfo
  branches/2020Q2/sysutils/ansible/files/extra-patch-27
  branches/2020Q2/sysutils/ansible23/Makefile
  branches/2020Q2/sysutils/ansible24/Makefile
  branches/2020Q2/sysutils/ansible25/Makefile
  branches/2020Q2/sysutils/ansible26/Makefile
  branches/2020Q2/sysutils/ansible27/Makefile
  branches/2020Q2/sysutils/ansible27/distinfo
Comment 12 commit-hook freebsd_committer freebsd_triage 2020-04-28 20:46:49 UTC 
A commit references this bug:

Author: bofh
Date: Tue Apr 28 20:46:10 UTC 2020
New revision: 533266
URL: https://svnweb.freebsd.org/changeset/ports/533266

Log:
  sysutils/ansible: Update version 2.8.11=>2.9.7

  - Create sysutils/ansible28 from sysutils/ansible
  - Set EXPIRATION_DATE to 20200530 for ansible23 ansible24 ansible25 and
    ansible26 as they are no longer maintained by upstream
  - Bump ansible23 ansible24 ansible25 ansible26 and ansible27 for CONFLICTS
    with ansible28

  PR:             241734
  Submitted by:   ncrogers@gmail.com
  Approved by:    portmgr (maintainer-timeout)

Changes:
  head/UPDATING
  head/sysutils/Makefile
  head/sysutils/ansible/Makefile
  head/sysutils/ansible/distinfo
  head/sysutils/ansible23/Makefile
  head/sysutils/ansible24/Makefile
  head/sysutils/ansible25/Makefile
  head/sysutils/ansible26/Makefile
  head/sysutils/ansible27/Makefile
  head/sysutils/ansible28/
  head/sysutils/ansible28/Makefile
  head/sysutils/ansible28/distinfo
  head/sysutils/ansible28/files/
  head/sysutils/ansible28/pkg-descr