Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure #88038

Merged
merged 5 commits into from May 18, 2020
Merged

[20.03] ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure #88038

merged 5 commits into from May 18, 2020

Conversation

mweinelt
Copy link
Member

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@mweinelt
Copy link
Member Author

One remaining issue is that the "Known issues" message for ansible_2_6 references the wrong ansible version (v2.9.9).

❯ nix-build -A ansible_2_6
error: Package ‘python3.7-ansible-2.9.9’ in /home/hexa/git/nixos/release-20.03/pkgs/tools/admin/ansible/default.nix:30 is marked as insecure, refusing to evaluate.


Known issues:
 - Ansible 2.6 is End-of-Life since 2019/11/06 and affected by multiple CVEs.

You can install it anyway by whitelisting this package, using the
following methods:

a) for `nixos-rebuild` you can add ‘python3.7-ansible-2.9.9’ to
   `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
   like so:

     {
       nixpkgs.config.permittedInsecurePackages = [
         "python3.7-ansible-2.9.9"
       ];
     }

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘python3.7-ansible-2.9.9’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:

     {
       permittedInsecurePackages = [
         "python3.7-ansible-2.9.9"
       ];
     }


(use '--show-trace' to show detailed location information)

@mweinelt mweinelt changed the title [20.03] Ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure [20.03] ansible: v2.9.2 → v2.9.9, v2.8.11 → v2.8.12, v2.7.17 → v2.7.18, mark v2.6 as insecure May 18, 2020
@ofborg ofborg bot requested a review from costrouc May 18, 2020 00:31
flokli
flokli requested changes May 18, 2020
View reviewed changes
Copy link
Contributor

@flokli flokli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this @mweinelt!

The bump to 2.9.9 misses the cherry-picked from information. Can you repush this?

Regarding the insecure notice, that's a somewhat known issue, I'd consider it out of scope for this PR - and 2.6 was dropped on master anyway to to it being EOL.

@mweinelt
ansible: v2.9.2 → v2.9.7
46ee780 
Fixes: CVE-2020-10684, CVE-2020-1733, CVE-2020-1735, CVE-2020-1739, CVE-2020-1740
(cherry picked from commit dde1577)
@mweinelt
ansible: v2.9.7 → v2.9.9
92fd2e5 
(cherry picked from commit 0dea984)
@mweinelt
ansible_2_8: v2.8.11 → v2.8.12
3a1771d 
(cherry picked from commit c0e6848)
@mweinelt
ansible_2_7: v2.7.17 → v2.7.18
b403f32 
(cherry picked from commit 25233a5)
@mweinelt
ansible_2_6: mark as insecure
905b027 
Ansible 2.6 went EOL in 2019/11/06 and several CVEs have since come up.
@mweinelt
Copy link
Member Author

@flokli Done

@flokli flokli merged commit 66901f0 into NixOS:release-20.03 May 18, 2020
@mweinelt mweinelt deleted the 20.03/ansible branch May 18, 2020 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli approved these changes

@FRidh FRidh Awaiting requested review from FRidh FRidh is a code owner

@jonringer jonringer Awaiting requested review from jonringer

@costrouc costrouc Awaiting requested review from costrouc

Assignees
No one assigned
Labels
1.severity: security 6.topic: python 8.has: clean-up 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mweinelt @flokli