Bug 241734 - sysutils/ansible: Update to 2.9.6
Summary: sysutils/ansible: Update to 2.9.6
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Muhammad Moinur Rahman
URL:
Keywords: needs-qa, security
Depends on:
Blocks: 233970
  Show dependency treegraph
 
Reported: 2019-11-05 12:36 UTC by ncrogers
Modified: 2020-03-27 13:20 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (lifanov)


Attachments
Update sysutils/ansible to version 2.9.0 (816 bytes, patch)
2019-11-05 12:36 UTC, ncrogers
no flags Details | Diff
Update to 2.9.6 (13.78 KB, patch)
2020-03-24 20:40 UTC, Muhammad Moinur Rahman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ncrogers 2019-11-05 12:36:46 UTC
Created attachment 208877 [details]
Update sysutils/ansible to version 2.9.0

Ansible 2.9.0 was released recently.

https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst

I was able to build sysutils/ansible for 2.9.0 by simply changing the version and running `make makesum`. FWIW that diff is attached.
Comment 1 Muhammad Moinur Rahman freebsd_committer 2020-03-24 20:40:16 UTC
Created attachment 212681 [details]
Update to 2.9.6

- Update version 2.8.7=>2.9.6
- Move 2.8.X branch to a new port sysutils/ansible8 and update to version 2.8.10
- Mark sysutils/ansible23 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible24 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible25 DEPRECATED as UPSTREAM support has ended
- Mark sysutils/ansible26 DEPRECATED as UPSTREAM support has ended
- Update sysutils/ansible27 to 2.7.16 as there are multiple vulnerabilities
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.
Comment 2 Muhammad Moinur Rahman freebsd_committer 2020-03-24 20:41:16 UTC
- Additionally fixes some issues from bug # 233970
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-25 02:21:18 UTC
Note: timeouts only apply from the date of the last proposed patch, not any possible patch.

If there are mostly bugfixes and/or security updates associated with the version ranges between the current port version and 2.9.6, please set keyword: security, cc ports-secteam and set merge-quarterly ?
Comment 5 Muhammad Moinur Rahman freebsd_committer 2020-03-26 10:37:17 UTC
Version 2.8.7 is Vulnerable to CVE-2019-14904
  - **SECURITY** - CVE-2019-14904 - solaris_zone module accepts zone name and
  performs actions related to that. However, there is no user input validation
  done while performing actions. A malicious user could provide a crafted zone
  name which allows executing commands into the server manipulating the module
  behaviour. Adding user input validation as per Solaris Zone documentation
  fixes this issue.
  - CVE-2019-14905 - nxos_file_copy module accepts remote_file parameter which
  is used for destination name and performs actions related to that on the
  device using the value of remote_file which is of string type However, there
  is no user input validation done while performing actions. A malicious code
  could crafts the filename parameter to take advantage by performing an OS
  command injection. This fix validates the option value if it is legitimate
  file path or not.