Created attachment 158159 [details] sysutils/ansible 1.9.1 -> 1.9.2 Please update sysutils/ansible to 1.9.2. This update contains bugfixes and security fixes. Changes: https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md
Created attachment 158160 [details] poudriere testport log
A commit references this bug: Author: robak Date: Tue Jun 30 11:45:32 UTC 2015 New revision: 390953 URL: https://svnweb.freebsd.org/changeset/ports/390953 Log: sysutils/ansible: update 1.9.1 -> 1.9.2 * Security fix for CVE-2015-3908 * Security fix for jail, zone and chroot plugins * Bugfixes: https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md PR: 201200 Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com> (maintainer) MFH: 2015Q2 Changes: head/sysutils/ansible/Makefile head/sysutils/ansible/distinfo
Committed, thanks for your work!
A commit references this bug: Author: robak Date: Tue Jun 30 12:26:32 UTC 2015 New revision: 390956 URL: https://svnweb.freebsd.org/changeset/ports/390956 Log: MFH: r390953 sysutils/ansible: update 1.9.1 -> 1.9.2 * Security fix for CVE-2015-3908 * Security fix for jail, zone and chroot plugins * Bugfixes: https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md PR: 201200 Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com> (maintainer) Approved by: portmgr Changes: _U branches/2015Q2/
robak@, The CVE-2015-3908 fix from the change log didn't get a security/vuxml entry to match. For that matter, none of the Ansible issues from http://www.ansible.com/security had been documented. I don't have the time today but I'll follow up in a day or so to document all the Ansible security issues unless I get beat to it. For now, just mention this so I can jump on the CC list for this PR.
Created attachment 158243 [details] security/vuxml for ansible robak@, Can you commit the attached vuxml? This includes 6 entries to cover issues fixed in 1.2.1, 1.2.3, 1.6.4, 1.6.7, 1.7, and the recent 1.9.2 update and documents all the publically acknowledged CVEs on http://www.ansible.com/security. The entries are very brief as Ansible's security disclosure page is rather brief. == Validation steps: # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.2.0 ansible-1.2.0 is vulnerable: ansible -- enable host key checking in paramiko connection type CVE: CVE-2013-2233 WWW: https://vuxml.FreeBSD.org/freebsd/a478421e-2059-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- local symlink exploits CVE: CVE-2013-4260 CVE: CVE-2013-4259 WWW: https://vuxml.FreeBSD.org/freebsd/a6a9f9d5-205c-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/e308c61a-2060-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- multiple vulnerabilities CVE: CVE-2015-3908 WWW: https://vuxml.FreeBSD.org/freebsd/72fccfdf-2061-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- remote code execution vulnerability CVE: CVE-2014-4678 WWW: https://vuxml.FreeBSD.org/freebsd/2c493ac8-205e-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- code execution from compromised remote host data or untrusted local data CVE: CVE-2014-4966 WWW: https://vuxml.FreeBSD.org/freebsd/9dae9d62-205f-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.9.2 0 problem(s) in the installed packages found.
Reopen pending VuXML changes in bug 201359
I, maintainer, approve the vuxml addition. Thank you for your work. I will keep it updated myself going forward.
I see that updated patch has been committed. I think that this bug can be closed now.
(In reply to Nikolai Lifanov from comment #9) Thanks. You should be able to edit the bug and make it closed.