On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote: > Hi Mike! > > (please don't CC Michael, he is not active on the ansible package > anymore and asked to be removed from uploaders.) > > On 30/08/2019 12:09, Mike Gabriel wrote: > > The Debian LTS team recently reviewed the security issue(s) affecting your > > package in Jessie: > > https://security-tracker.debian.org/tracker/source-package/ansible > > > > We decided that a member of the LTS team should take a look at this > > package, although the security impact of still open issues is low. When > > resources are available on our side, one of the LTS team members will > > start working on fixes for those minor security issues, as we think that > > the jessie users would most certainly benefit from a fixed package. > > That sounds good. Though I really don't know how many people still use > the oldoldstable packages. The bug reports and backport requests (on the > BTS and in private) I get tend to be from stable and newer. Most common > requests are for backports updates. > > If you think it's a good thing I'm more than happy to help. I agree with > your assessment that all CVEs are of very low impact. There's a jessie > git branch you can make releases from which I can give you access to. If > you need any help feel free to help. I currently don't have capacity to > commit to maintaining LTS, too, as IRL tends to come in between. :) > Hi Lee,
Of the CVEs I've looked at so far there are 4. One was an issue in the template engine that was introduced in version 2.x, so it didn't apply at all to the jessie version. I've been able to backport patches for 2 other CVEs without too much difficulty. The fourth is still in progress, though it is not that difficult either. Of those 3 which I have patched or am working on so far, the X.509 certificate hostname validation was not that severe. However, the symlink attack allowing escape from a chroot/jail and the reading of configuration from a world-readable $PWD seem serious enough to merit attention. That said, I'd be glad to have an additional review on the patches, which hopefully shouldn't require much time/effort on your part. My Salsa handle is @roberto. If you could give me access to the project I'll move my work over to the jessie branch there to help keep everything in one place. Regards, -Roberto -- Roberto C. Sánchez
