Bug 201200 - [maintainer] [update] sysutils/ansible 1.9.2
Summary: [maintainer] [update] sysutils/ansible 1.9.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bartek Rutkowski
URL:
Keywords:
Depends on: 201359
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-29 14:43 UTC by Nikolai Lifanov
Modified: 2015-07-06 13:02 UTC (History)
3 users (show)

See Also:

Attachments
sysutils/ansible 1.9.1 -> 1.9.2 (747 bytes, patch)
2015-06-29 14:43 UTC, Nikolai Lifanov 		lifanov: maintainer-approval+
Details | Diff
poudriere testport log (229.35 KB, text/plain)
2015-06-29 14:44 UTC, Nikolai Lifanov 		no flags Details
security/vuxml for ansible (6.72 KB, patch)
2015-07-02 02:57 UTC, Jason Unovitch 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nikolai Lifanov 2015-06-29 14:43:38 UTC 
Created attachment 158159 [details]
sysutils/ansible 1.9.1 -> 1.9.2

Please update sysutils/ansible to 1.9.2.
This update contains bugfixes and security fixes.

Changes:
https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md
Comment 1 Nikolai Lifanov 2015-06-29 14:44:01 UTC 
Created attachment 158160 [details]
poudriere testport log
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-06-30 11:45:51 UTC 
A commit references this bug:

Author: robak
Date: Tue Jun 30 11:45:32 UTC 2015
New revision: 390953
URL: https://svnweb.freebsd.org/changeset/ports/390953

Log:
  sysutils/ansible: update 1.9.1 -> 1.9.2

  * Security fix for CVE-2015-3908
  * Security fix for jail, zone and chroot plugins
  * Bugfixes: https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md

  PR:		201200
  Submitted by:	Nikolai Lifanov <lifanov@mail.lifanov.com> (maintainer)
  MFH:		2015Q2

Changes:
  head/sysutils/ansible/Makefile
  head/sysutils/ansible/distinfo
Comment 3 Bartek Rutkowski freebsd_committer freebsd_triage 2015-06-30 11:47:07 UTC 
Committed, thanks for your work!
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-06-30 12:26:54 UTC 
A commit references this bug:

Author: robak
Date: Tue Jun 30 12:26:32 UTC 2015
New revision: 390956
URL: https://svnweb.freebsd.org/changeset/ports/390956

Log:
  MFH: r390953

  sysutils/ansible: update 1.9.1 -> 1.9.2

  * Security fix for CVE-2015-3908
  * Security fix for jail, zone and chroot plugins
  * Bugfixes: https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md

  PR:		201200
  Submitted by:	Nikolai Lifanov <lifanov@mail.lifanov.com> (maintainer)
  Approved by:	portmgr

Changes:
_U  branches/2015Q2/
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2015-07-01 00:57:51 UTC 
robak@,
The CVE-2015-3908 fix from the change log didn't get a security/vuxml entry to match.  For that matter, none of the Ansible issues from  http://www.ansible.com/security had been documented.

I don't have the time today but I'll follow up in a day or so to document all the Ansible security issues unless I get beat to it.  For now, just mention this so I can jump on the CC list for this PR.
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2015-07-02 02:57:27 UTC 
Created attachment 158243 [details]
security/vuxml for ansible

robak@,
Can you commit the attached vuxml?  This includes 6 entries to cover issues fixed in 1.2.1, 1.2.3, 1.6.4, 1.6.7, 1.7, and the recent 1.9.2 update and documents all the publically acknowledged CVEs on http://www.ansible.com/security.  The entries are very brief as Ansible's security disclosure page is rather brief.

== Validation steps:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.2.0
ansible-1.2.0 is vulnerable:
ansible -- enable host key checking in paramiko connection type
CVE: CVE-2013-2233
WWW: https://vuxml.FreeBSD.org/freebsd/a478421e-2059-11e5-a4a5-002590263bf5.html

ansible-1.2.0 is vulnerable:
ansible -- local symlink exploits
CVE: CVE-2013-4260
CVE: CVE-2013-4259
WWW: https://vuxml.FreeBSD.org/freebsd/a6a9f9d5-205c-11e5-a4a5-002590263bf5.html

ansible-1.2.0 is vulnerable:
ansible -- multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/e308c61a-2060-11e5-a4a5-002590263bf5.html

ansible-1.2.0 is vulnerable:
ansible -- multiple vulnerabilities
CVE: CVE-2015-3908
WWW: https://vuxml.FreeBSD.org/freebsd/72fccfdf-2061-11e5-a4a5-002590263bf5.html

ansible-1.2.0 is vulnerable:
ansible -- remote code execution vulnerability
CVE: CVE-2014-4678
WWW: https://vuxml.FreeBSD.org/freebsd/2c493ac8-205e-11e5-a4a5-002590263bf5.html

ansible-1.2.0 is vulnerable:
ansible -- code execution from compromised remote host data or untrusted local data
CVE: CVE-2014-4966
WWW: https://vuxml.FreeBSD.org/freebsd/9dae9d62-205f-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.9.2
0 problem(s) in the installed packages found.
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-05 16:37:58 UTC 
Reopen pending VuXML changes in bug 201359
Comment 8 Nikolai Lifanov 2015-07-06 12:39:38 UTC 
I, maintainer, approve the vuxml addition. Thank you for your work.
I will keep it updated myself going forward.
Comment 9 Nikolai Lifanov 2015-07-06 12:51:31 UTC 
I see that updated patch has been committed.
I think that this bug can be closed now.
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-07-06 13:00:58 UTC 
(In reply to Nikolai Lifanov from comment #9)

Thanks.  You should be able to edit the bug and make it closed.