Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.03] ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure #88038

Merged
merged 5 commits into from May 18, 2020

Conversation

@mweinelt
Copy link
Member

mweinelt commented May 18, 2020

Motivation for this change
  • Missed backporting a security bump from #86980
  • Backport recent minor versions from #88037
  • Mark Ansible 2.6 as insecure, since it's EOL and the CVEs in #86980 happened
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@mweinelt mweinelt requested review from FRidh and jonringer as code owners May 18, 2020
@mweinelt
Copy link
Member Author

mweinelt commented May 18, 2020

One remaining issue is that the "Known issues" message for ansible_2_6 references the wrong ansible version (v2.9.9).

❯ nix-build -A ansible_2_6
error: Package ‘python3.7-ansible-2.9.9’ in /home/hexa/git/nixos/release-20.03/pkgs/tools/admin/ansible/default.nix:30 is marked as insecure, refusing to evaluate.


Known issues:
 - Ansible 2.6 is End-of-Life since 2019/11/06 and affected by multiple CVEs.

You can install it anyway by whitelisting this package, using the
following methods:

a) for `nixos-rebuild` you can add ‘python3.7-ansible-2.9.9’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python3.7-ansible-2.9.9"
       ];
     }

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘python3.7-ansible-2.9.9’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python3.7-ansible-2.9.9"
       ];
     }


(use '--show-trace' to show detailed location information)
@mweinelt mweinelt changed the title [20.03] Ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure [20.03] ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure May 18, 2020
@ofborg ofborg bot requested a review from costrouc May 18, 2020
Copy link
Contributor

flokli left a comment

Thanks for doing this @mweinelt!

The bump to 2.9.9 misses the cherry-picked from information. Can you repush this?

Regarding the insecure notice, that's a somewhat known issue, I'd consider it out of scope for this PR - and 2.6 was dropped on master anyway to to it being EOL.

mweinelt added 5 commits May 5, 2020
Fixes: CVE-2020-10684, CVE-2020-1733, CVE-2020-1735, CVE-2020-1739, CVE-2020-1740
(cherry picked from commit dde1577)
(cherry picked from commit 0dea984)
(cherry picked from commit c0e6848)
(cherry picked from commit 25233a5)
Ansible 2.6 went EOL in 2019/11/06 and several CVEs have since come up.
@mweinelt mweinelt force-pushed the mweinelt:20.03/ansible branch from afbacea to 905b027 May 18, 2020
@mweinelt
Copy link
Member Author

mweinelt commented May 18, 2020

@flokli Done

@flokli
flokli approved these changes May 18, 2020
@flokli flokli merged commit 66901f0 into NixOS:release-20.03 May 18, 2020
@mweinelt mweinelt deleted the mweinelt:20.03/ansible branch May 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.