Created attachment 158377 [details] security/vuxml entry for ansible Document the ansible CVE fixed in bug 201200. Also Ansible security issues documented at http://www.ansible.com/security were never documented and they all impacted FreeBSD at some point in the history of the port. As such document them all now. Note this seperate PR for vuxml will make the bug 201200 comment 6 patch obsolete. That was tagged on after the the PR.
Nice work Jason, and thank you again for all your activity on the issue tracker recently :) Given bug 201200 is already closed, we have the option of * Re-opening it and depending it on this to 'complete' it. * Just treating this issue as a follow-up and adding this bug See Also: The goal is explicit and clear references for our future selves (and the vuxml entries being added of course). I'll take your lead on which way you want to go. Also, I presume make check passed for vuxml.xml?
(In reply to Kubilay Kocak from comment #1) The validation was in bug 201200 comment 6. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.2.0 ansible-1.2.0 is vulnerable: ansible -- enable host key checking in paramiko connection type CVE: CVE-2013-2233 WWW: https://vuxml.FreeBSD.org/freebsd/a478421e-2059-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- local symlink exploits CVE: CVE-2013-4260 CVE: CVE-2013-4259 WWW: https://vuxml.FreeBSD.org/freebsd/a6a9f9d5-205c-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/e308c61a-2060-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- multiple vulnerabilities CVE: CVE-2015-3908 WWW: https://vuxml.FreeBSD.org/freebsd/72fccfdf-2061-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- remote code execution vulnerability CVE: CVE-2014-4678 WWW: https://vuxml.FreeBSD.org/freebsd/2c493ac8-205e-11e5-a4a5-002590263bf5.html ansible-1.2.0 is vulnerable: ansible -- code execution from compromised remote host data or untrusted local data CVE: CVE-2014-4966 WWW: https://vuxml.FreeBSD.org/freebsd/9dae9d62-205f-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit ansible-1.9.2 0 problem(s) in the installed packages found.
You're too good, sorry I missed that
(In reply to Kubilay Kocak from comment #1) For the sake of being complete, covering the issue as part of the original PR makes the most sense. Particularly since we already document the fix in SVN as a security issue it seems like we are only half done until vuxml matches up to the commit log. I am ok with re-opening the original PR and awaiting the vuxml commit as a close action.
(In reply to Jason Unovitch from comment #4) Agreed. You should be able to re-open bug 201200 and set depends on this bug. Let me know if you can't.
(In reply to Kubilay Kocak from comment #5) I was not the originator for bug 201200 so I don't have permissions to edit the bug's status.
(In reply to Jason Unovitch from comment #6) Thanks Jason, you should be able to obsolete your vuxml patch in that bug though right?
(In reply to Kubilay Kocak from comment #7) Correct. The original patch is now marked obsolete.
A commit references this bug: Author: feld Date: Mon Jul 6 03:30:25 UTC 2015 New revision: 391386 URL: https://svnweb.freebsd.org/changeset/ports/391386 Log: Document ansible vulnerabilities PR: 201359 Changes: head/security/vuxml/vuln.xml
Thanks a ton Jason!