Re: Jessie update of ansible (minor security issues)?
On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote:
> Hi Mike!
> (please don't CC Michael, he is not active on the ansible package
> anymore and asked to be removed from uploaders.)
> On 30/08/2019 12:09, Mike Gabriel wrote:
> > The Debian LTS team recently reviewed the security issue(s) affecting your
> > package in Jessie:
> > https://security-tracker.debian.org/tracker/source-package/ansible
> > We decided that a member of the LTS team should take a look at this
> > package, although the security impact of still open issues is low. When
> > resources are available on our side, one of the LTS team members will
> > start working on fixes for those minor security issues, as we think that
> > the jessie users would most certainly benefit from a fixed package.
> That sounds good. Though I really don't know how many people still use
> the oldoldstable packages. The bug reports and backport requests (on the
> BTS and in private) I get tend to be from stable and newer. Most common
> requests are for backports updates.
> If you think it's a good thing I'm more than happy to help. I agree with
> your assessment that all CVEs are of very low impact. There's a jessie
> git branch you can make releases from which I can give you access to. If
> you need any help feel free to help. I currently don't have capacity to
> commit to maintaining LTS, too, as IRL tends to come in between. :)
Of the CVEs I've looked at so far there are 4. One was an issue in the
template engine that was introduced in version 2.x, so it didn't apply
at all to the jessie version. I've been able to backport patches for 2
other CVEs without too much difficulty. The fourth is still in
progress, though it is not that difficult either. Of those 3 which I
have patched or am working on so far, the X.509 certificate hostname
validation was not that severe. However, the symlink attack allowing
escape from a chroot/jail and the reading of configuration from a
world-readable $PWD seem serious enough to merit attention.
That said, I'd be glad to have an additional review on the patches,
which hopefully shouldn't require much time/effort on your part.
My Salsa handle is @roberto. If you could give me access to the project
I'll move my work over to the jessie branch there to help keep
everything in one place.
Roberto C. Sánchez