Hello community, here is the log from the commit of package ansible.3921 for openSUSE:13.2:Update checked in at 2015-07-22 15:04:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/ansible.3921 (Old) and /work/SRC/openSUSE:13.2:Update/.ansible.3921.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ansible.3921" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.2:Update/.ansible.3921.new/ansible.changes 2015-07-22 15:04:40.000000000 +0200 @@ -0,0 +1,419 @@ +------------------------------------------------------------------- +Wed Jul 15 12:31:21 UTC 2015 - lars@linux-schulserver.de + +- added ansible-CVE-2015-3908.patch to fix CVE-2015-3908 + (bnc #938161) + +------------------------------------------------------------------- +Sun Aug 17 15:21:38 UTC 2014 - lars@linux-schulserver.de + +- update to 1.7.1: + Major new features: + + Windows support (alpha) using native PowerShell remoting + + Tasks can now specify run_once: true, meaning they will be executed + exactly once. This can be combined with delegate_to to trigger actions + you want done just the one time versus for every host in inventory. + + New Modules: + + cloud: azure + + cloud: rax_meta + + cloud: rax_scaling_group + + cloud: rax_scaling_policy + + windows: version of setup module + + windows: version of slurp module + + windows: win_feature + + windows: win_get_url + + windows: win_msi + + windows: win_ping + + windows: win_user + + windows: win_service + + windows: win_group + + New inventory scripts: + + SoftLayer + + Windows Azure + + Docker module bug fixes: + + Fixed support for specifying rw/ro bind modes for volumes + + Fixed support for allowing the tag in the image parameter + + Other notable changes: + + Performance enhancements related to previous security fixes, which + could cause slowness when modules returned very large JSON results. + This specifically impacted the unarchive module frequently, which + returns the details of all unarchived files in the result. + + Inventory speed improvements for very large inventories. + + Vault password files can now be executable, to support scripts + that fetch the vault password. + + Fixes an issue with the copy module when copying a directory that + fails when changing file attributes and the target file already exists + + Improved unicode handling when splitting args + + Further improvements to module parameter parsing to address + additional regressions caused by security fixes + + Corrects a regression in the way shell and command parameters + were being parsed + + Various other bug fixes + + Security fixes: + + Security fix to disallow specifying 'args:' as a string, which could + allow the insertion of extra module parameters through variables. + + Strip lookup calls out of inventory variables and clean unsafe + data returned from lookup plugins (CVE-2014-4966) + + Make sure vars don't insert extra parameters into module args and + prevent duplicate params from superseding previous params (CVE-2014-4967) +- adapt specfile requirements for RedHat and Fedora + +------------------------------------------------------------------- +Thu Jul 10 12:53:16 UTC 2014 - lars@linux-schulserver.de + +- update to 1.6.6: + * Security updates to further protect against the incorrect + execution of untrusted data + * Additional tweaks to prevent the incorrect execution of + untrusted data + * Security update to prevent local operations from executing as + the result of specifically crafted untrusted data + +------------------------------------------------------------------- +Thu Jun 19 07:28:24 UTC 2014 - lars@linux-schulserver.de + +- update to 1.6.3: + * The deprecated legacy variable templating system has been + finally removed. Use {{ foo }} always not $foo or ${foo}. + * Any data file can also be JSON. Use sparingly -- with great power + comes great responsibility. Starting file with "{" or "[" denotes JSON. + * Added 'gathering' param for ansible.cfg to change the default + gather_facts policy. + * Accelerate improvements: + + multiple users can connect with different keys, when + accelerate_multi_key = yes is specified in the ansible.cfg. + + daemon lifetime is now based on the time from the last activity, + not the time from the daemon's launch. + * ansible-playbook now accepts --force-handlers to run handlers + even if tasks result in failures. + * Added VMWare support with the vsphere_guest module. + * many new modules and ther notable changes, please read + /usr/share/doc/packages/ansible/CHANGELOG.md for details +- use new upstream URL(s) +- require python-httplib2 and python-setuptools +- ignore "wrong" permissions of synchronize.py +- ignore rpmlint warning about requiring python-httplib2 explicitely + +------------------------------------------------------------------- +Thu Mar 20 23:24:56 UTC 2014 - lars@linux-schulserver.de + +- update to 1.5.3: + * Fixes to the git module related to host key checking + * Force command action to not be executed by the shell unless + specifically enabled. + * Validate SSL certs accessed through urllib*. + * Implement new default cipher class AES256 in ansible-vault. + * Misc bug fixes. + +------------------------------------------------------------------- +Sat Mar 8 11:08:25 UTC 2014 - lars@linux-schulserver.de + +- update to 1.5: + Major features/changes: + * when_foo which was previously deprecated is now removed, use + "when:" instead. Code generates appropriate error suggestion. + * include + with_items which was previously deprecated is now + removed, ditto. Use with_nested / with_together, etc. + * only_if, which is much older than when_foo and was deprecated, + is similarly removed. + * ssh connection plugin is now more efficient if you add + 'pipelining=True' in ansible.cfg under [ssh_connection], + see example.cfg + * localhost/127.0.0.1 is not required to be in inventory if + referenced, if not in inventory, it does not implicitly appear + in the 'all' group. + * git module has new parameters (accept_hostkey, key_file, ssh_opts) + to ease the usage of git and ssh protocols. + * when using accelerate mode, the daemon will now be restarted + when specifying a different remote_user between plays. + * added no_log: option for tasks. When used, no logging information + will be sent to syslog during the module execution. + * acl module now handles 'default' and allows for either shorthand + entry or specific fields per entry section + * play_hosts is a new magic variable to provide a list of hosts + in scope for the current play. + * ec2 module now accepts 'exact_count' and 'count_tag' as a way to + enforce a running number of nodes by tags. + * all ec2 modules that work with Eucalyptus also now support a + 'validate_certs' option, which can be set to 'off' for installations + using self-signed certs. + * Start of new integration test infrastructure (WIP) + * if repoquery is unavailble, the yum module will automatically + attempt to install yum-utils + * ansible-vault: a framework for encrypting your playbooks + and variable files + + Other notable changes (many new module params & bugfixes may not not listed): + * no_reboot is now defaulted to "no" in the ec2_ami module to ensure + filesystem consistency in the resulting AMI. + * sysctl module overhauled + * authorized_key module overhauled + * synchronized module now handles local transport better + * apt_key module now ignores case on keys + * zypper_repository now skips on check mode + * file module now responds to force behavior when dealing with hardlinks + * new lookup plugin 'csvfile' + * fixes to allow hash_merge behavior to work with dynamic inventory + * mysql module will use port argument on dump/import + * subversion module now ignores locale to better intercept status messages + * rax api_key argument is no longer logged + * backwards/forwards compatibility for OpenStack modules, 'quantum' + modules grok neutron renaming + * hosts properly uniqueified if appearing in redundant groups + * hostname module support added for ScientificLinux + * ansible-pull can now show live stdout and pass verbosity levels + to ansible-playbook + * ec2 instances can now be stopped or started + * additional volumes can be created when creating new ec2 instances + * user module can move a home directory + * significant enhancement and cleanup of rackspace modules + * ansible_ssh_private_key_file can be templated + * docker module updated to support docker-py 0.3.0 + * various other bug fixes + * md5 logic improved during sudo operation + * support for ed25519 keys in authorized_key module + * ability to set directory permissions during a recursive copy + (directory_mode parameter) + * update docker module, support for using docker python + library 0.3.0 + +------------------------------------------------------------------- +Thu Feb 27 17:39:07 UTC 2014 - lars@linux-schulserver.de + +- update to 1.4.5: + + fixed issue with permissions being incorrect on + fireball/accelerate keys when the umask setting was too loose. + +------------------------------------------------------------------- +Sun Jan 19 03:12:17 UTC 2014 - lars@linux-schulserver.de + +- update to 1.4.4: + + Fixed issue with newer versions of pip not having --use-mirrors + + Fixed role_path parsing from ansible.cfg ++++ 222 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.ansible.3921.new/ansible.changes New: ---- CHANGELOG.md ansible-1.7.1.tar.bz2 ansible-CVE-2015-3908.patch ansible-rpmlintrc ansible.changes ansible.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ansible.spec ++++++ # # spec file for package ansible # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright 2013 by Lars Vogdt # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: ansible Version: 1.7.1 Release: 0 Summary: SSH-based configuration management, deployment, and orchestration engine License: GPL-3.0+ Group: System/Management Url: http://www.ansible.com/ # http://releases.ansible.com/ansible/ansible-%%{version}.tar.gz Source0: %{name}-%{version}.tar.bz2 Source1: %{name}-rpmlintrc # https://raw.github.com/ansible/ansible/release%%{version}/CHANGELOG.md Source2: CHANGELOG.md Patch0: ansible-CVE-2015-3908.patch Requires: sshpass # # (open)SUSE # %if 0%{?suse_version} BuildRequires: python-devel BuildRequires: python-setuptools Requires: python-PyYAML Requires: python-httplib2 Requires: python-jinja2 Requires: python-keyczar Requires: python-setuptools %if 0%{?suse_version} > 01020 BuildRequires: fdupes Recommends: python-paramiko %else Requires: python-paramiko %endif %if 0%{?suse_version} <= 1110 %{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} %else BuildArch: noarch %endif %endif # # RHEL # %if 0%{?rhel} && 0%{?rhel} <= 5 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} %if 0%{?rhel} == 5 %define __python /usr/bin/python26 %endif BuildRequires: python26-devel BuildRequires: python26-setuptools Requires: python26-PyYAML Requires: python26-httplib2 Requires: python26-httplib2 Requires: python26-jinja2 Requires: python26-keyczar Requires: python26-paramiko Requires: python26-setuptools %endif %if 0%{?rhel} > 5 || 0%{?rhel_version} > 505 BuildRequires: python26-devel BuildRequires: python26-setuptools Requires: python26-PyYAML Requires: python26-httplib2 Requires: python26-httplib2 Requires: python26-jinja2 Requires: python26-keyczar Requires: python26-paramiko Requires: python26-setuptools %endif %if 0%{?rhel} == 6 Requires: python-crypto2.6 %endif # # Fedora # %if 0%{?fedora} BuildRequires: python-devel BuildRequires: python-setuptools Requires: PyYAML Requires: python-httplib2 Requires: python-httplib2 Requires: python-jinja2 Requires: python-keyczar Requires: python-paramiko Requires: python-setuptools %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %prep %setup -q %patch0 -p1 install -m644 %{SOURCE2} . %build %{__python} setup.py build %install %{__python} setup.py install -O1 --prefix=%{_prefix} --root=%{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/ansible/ cp examples/hosts %{buildroot}%{_sysconfdir}/ansible/ cp examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/ mkdir -p %{buildroot}%{_mandir}/man1/ cp -v docs/man/man1/*.1 %{buildroot}%{_mandir}/man1/ mkdir -p %{buildroot}%{_datadir}/ansible cp -vr library/* %{buildroot}%{_datadir}/ansible/ %if 0%{?suse_version} > 01020 %fdupes %{buildroot} %endif %clean rm -rf %{buildroot} %files %defattr(-,root,root,-) %{python_sitelib}/ansible* %{_bindir}/ansible* %dir %{_datadir}/ansible %dir %{_datadir}/ansible/* %{_datadir}/ansible/*/* %config(noreplace) %{_sysconfdir}/%{name} %doc README.md PKG-INFO COPYING CHANGELOG.md %doc %{_mandir}/man1/ansible* %doc examples/playbooks %changelog ++++++ CHANGELOG.md ++++++ ++++ 1365 lines (skipped) ++++++ ansible-CVE-2015-3908.patch ++++++ Index: ansible-1.7.1/lib/ansible/module_utils/urls.py =================================================================== --- ansible-1.7.1.orig/lib/ansible/module_utils/urls.py +++ ansible-1.7.1/lib/ansible/module_utils/urls.py @@ -50,6 +50,15 @@ try: except: HAS_SSL=False +HAS_MATCH_HOSTNAME = True +try: + from ssl import match_hostname, CertificateError +except ImportError: + try: + from backports.ssl_match_hostname import match_hostname, CertificateError + except ImportError: + HAS_MATCH_HOSTNAME = False + import os import re import socket @@ -244,11 +253,13 @@ class SSLValidationHandler(urllib2.BaseH connect_result = s.recv(4096) self.validate_proxy_response(connect_result) ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED) + match_hostname(ssl_s.getpeercert(), self.hostname) else: self.module.fail_json(msg='Unsupported proxy scheme: %s. Currently ansible only supports HTTP proxies.' % proxy_parts.get('scheme')) else: s.connect((self.hostname, self.port)) ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED) + match_hostname(ssl_s.getpeercert(), self.hostname) # close the ssl connection #ssl_s.unwrap() s.close() @@ -262,6 +273,9 @@ class SSLValidationHandler(urllib2.BaseH 'Use validate_certs=no or make sure your managed systems have a valid CA certificate installed. ' + \ 'Paths checked for this platform: %s' % ", ".join(paths_checked) ) + except CertificateError: + self.module.fail_json(msg="SSL Certificate does not belong to %s. Make sure the url has a certificate that belongs to it or use validate_certs=no (insecure)" % self.hostname) + try: # cleanup the temp file created, don't worry # if it fails for some reason @@ -314,27 +328,29 @@ def fetch_url(module, url, data=None, he # FIXME: change the following to use the generic_urlparse function # to remove the indexed references for 'parsed' parsed = urlparse.urlparse(url) - if parsed[0] == 'https': - if not HAS_SSL and validate_certs: + if parsed[0] == 'https' and validate_certs: + if not HAS_SSL: if distribution == 'Redhat': module.fail_json(msg='SSL validation is not available in your version of python. You can use validate_certs=no, however this is unsafe and not recommended. You can also install python-ssl from EPEL') else: module.fail_json(msg='SSL validation is not available in your version of python. You can use validate_certs=no, however this is unsafe and not recommended') + if not HAS_MATCH_HOSTNAME: + module.fail_json(msg='Available SSL validation does not check that the certificate matches the hostname. You can install backports.ssl_match_hostname or update your managed machine to python-2.7.9 or newer. You could also use validate_certs=no, however this is unsafe and not recommended') - elif validate_certs: - # do the cert validation - netloc = parsed[1] - if '@' in netloc: - netloc = netloc.split('@', 1)[1] - if ':' in netloc: - hostname, port = netloc.split(':', 1) - else: - hostname = netloc - port = 443 - # create the SSL validation handler and - # add it to the list of handlers - ssl_handler = SSLValidationHandler(module, hostname, port) - handlers.append(ssl_handler) + # do the cert validation + netloc = parsed[1] + if '@' in netloc: + netloc = netloc.split('@', 1)[1] + if ':' in netloc: + hostname, port = netloc.split(':', 1) + port = int(port) + else: + hostname = netloc + port = 443 + # create the SSL validation handler and + # add it to the list of handlers + ssl_handler = SSLValidationHandler(module, hostname, port) + handlers.append(ssl_handler) if parsed[0] != 'ftp': username = module.params.get('url_username', '') ++++++ ansible-rpmlintrc ++++++ addFilter("non-executable-script.*/usr/share/ansible/.*"); addFilter("non-executable-script.*/usr/.*/ansible/utils/module_docs.py"); addFilter("non-executable-script.*/usr/.*/ansible/runner/action_plugins/synchronize.py"); # A Python HTTP client library ... addFilter("explicit-lib-dependency python-httplib2");