New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Ansible to 2.4.5 or later #3891

Closed
emkll opened this Issue Oct 22, 2018 · 3 comments

Comments

3 participants
@emkll
Copy link
Contributor

emkll commented Oct 22, 2018

Description

Ansible 2.4.2 is used in:

There is currently a CVE associated to this version of Ansible: CVE-2018-10855:

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Securedrop does not use no_log, and as such this vulnerability does not directly affect Securedrop. Updating Ansible will be required for CI to pass safety checks.

User Stories

As an admin, packages that are updated and do not have CVEs associated to them is good.

@redshiftzero redshiftzero added this to the 0.11.0 milestone Oct 26, 2018

@eloquence eloquence added this to Near Term Backlog in SecureDrop Team Board Nov 16, 2018

@eloquence eloquence moved this from Near Term Backlog to Current Sprint Backlog - 11/16-11/28 in SecureDrop Team Board Nov 16, 2018

@ultimatecoder

This comment has been minimized.

Copy link
Contributor

ultimatecoder commented Nov 17, 2018

Ansible 2.4 is EOL source. Shouldn't it be upgraded to the lowest supported version which is 2.5.9?
Ansible v2.5.9 is greater than v2.5.5 as mentioned at CVE-2018-10855.

@redshiftzero

This comment has been minimized.

Copy link
Member

redshiftzero commented Nov 21, 2018

Good flag @ultimatecoder, we should indeed update to at least the lowest supported version

@ultimatecoder

This comment has been minimized.

Copy link
Contributor

ultimatecoder commented Nov 21, 2018

@redshiftzero Thanks!

@emkll emkll referenced this issue Nov 27, 2018

Closed

Upgrade ansible to 2.7.2 #3944

3 of 7 tasks complete

@redshiftzero redshiftzero moved this from Current Sprint Backlog - 11/16-11/28 to In Development in SecureDrop Team Board Nov 27, 2018

@emkll emkll referenced this issue Nov 28, 2018

Merged

Update ansible to 2.6.8 #3945

3 of 9 tasks complete

@emkll emkll moved this from In Development to Under Review in SecureDrop Team Board Nov 28, 2018

@emkll emkll moved this from Under Review to Ready for review in SecureDrop Team Board Nov 28, 2018

SecureDrop Team Board automation moved this from Ready for review to Done Nov 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment