Re: Jessie update of ansible (minor security issues)?
On Wed, Sep 04, 2019 at 02:07:39PM -0400, Roberto C. Sánchez wrote: > In any event, I have moved my work onto that branch and have already > some commits locally. Would you like for me to push my commits (one per > CVE) as I go so that you can look them over? Or would prefer that I > push all the changes together once all my work is complete? create a branch jessie-proposed (or whatever) and push it now? -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Jessie update of ansible (minor security issues)?
On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote: > > If you think it's a good thing I'm more than happy to help. I agree with > your assessment that all CVEs are of very low impact. There's a jessie > git branch you can make releases from which I can give you access to. If > you need any help feel free to help. I currently don't have capacity to > commit to maintaining LTS, too, as IRL tends to come in between. :) > Lee, I took a look yesterday and I saw that the ansible project in Salsa has 1000+ maintainers, which I think is every DD. I cloned it and found the jessie branch with Chris Lamb's security update from last year as the most recent changelog entry on that branch. That matches with what is in the archive. In any event, I have moved my work onto that branch and have already some commits locally. Would you like for me to push my commits (one per CVE) as I go so that you can look them over? Or would prefer that I push all the changes together once all my work is complete? Regards, -Roberto -- Roberto C. Sánchez
Re: Jessie update of ansible (minor security issues)?
On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote: > Hi Mike! > > (please don't CC Michael, he is not active on the ansible package > anymore and asked to be removed from uploaders.) > > On 30/08/2019 12:09, Mike Gabriel wrote: > > The Debian LTS team recently reviewed the security issue(s) affecting your > > package in Jessie: > > https://security-tracker.debian.org/tracker/source-package/ansible > > > > We decided that a member of the LTS team should take a look at this > > package, although the security impact of still open issues is low. When > > resources are available on our side, one of the LTS team members will > > start working on fixes for those minor security issues, as we think that > > the jessie users would most certainly benefit from a fixed package. > > That sounds good. Though I really don't know how many people still use > the oldoldstable packages. The bug reports and backport requests (on the > BTS and in private) I get tend to be from stable and newer. Most common > requests are for backports updates. > > If you think it's a good thing I'm more than happy to help. I agree with > your assessment that all CVEs are of very low impact. There's a jessie > git branch you can make releases from which I can give you access to. If > you need any help feel free to help. I currently don't have capacity to > commit to maintaining LTS, too, as IRL tends to come in between. :) > Hi Lee, Of the CVEs I've looked at so far there are 4. One was an issue in the template engine that was introduced in version 2.x, so it didn't apply at all to the jessie version. I've been able to backport patches for 2 other CVEs without too much difficulty. The fourth is still in progress, though it is not that difficult either. Of those 3 which I have patched or am working on so far, the X.509 certificate hostname validation was not that severe. However, the symlink attack allowing escape from a chroot/jail and the reading of configuration from a world-readable $PWD seem serious enough to merit attention. That said, I'd be glad to have an additional review on the patches, which hopefully shouldn't require much time/effort on your part. My Salsa handle is @roberto. If you could give me access to the project I'll move my work over to the jessie branch there to help keep everything in one place. Regards, -Roberto -- Roberto C. Sánchez
Re: Jessie update of ansible (minor security issues)?
Hi Lee, thanks for reply. On Sa 31 Aug 2019 16:22:38 CEST, Lee Garrett wrote: Hi Mike! (please don't CC Michael, he is not active on the ansible package anymore and asked to be removed from uploaders.) On 30/08/2019 12:09, Mike Gabriel wrote: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/ansible We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. That sounds good. Though I really don't know how many people still use the oldoldstable packages. The bug reports and backport requests (on the BTS and in private) I get tend to be from stable and newer. Most common requests are for backports updates. If you think it's a good thing I'm more than happy to help. I agree with your assessment that all CVEs are of very low impact. There's a jessie git branch you can make releases from which I can give you access to. If you need any help feel free to help. I currently don't have capacity to commit to maintaining LTS, too, as IRL tends to come in between. :) If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. Regards, Lee Roberta Sánchez from the LTS team picked up ansible and he will look into things the coming week, as I heard from him yesterday. I'll leave it to him to reply and get back to you. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpEU9Wd8T2Hp.pgp Description: Digitale PGP-Signatur
Re: Jessie update of ansible (minor security issues)?
Hi Mike! (please don't CC Michael, he is not active on the ansible package anymore and asked to be removed from uploaders.) On 30/08/2019 12:09, Mike Gabriel wrote: > The Debian LTS team recently reviewed the security issue(s) affecting your > package in Jessie: > https://security-tracker.debian.org/tracker/source-package/ansible > > We decided that a member of the LTS team should take a look at this > package, although the security impact of still open issues is low. When > resources are available on our side, one of the LTS team members will > start working on fixes for those minor security issues, as we think that > the jessie users would most certainly benefit from a fixed package. That sounds good. Though I really don't know how many people still use the oldoldstable packages. The bug reports and backport requests (on the BTS and in private) I get tend to be from stable and newer. Most common requests are for backports updates. If you think it's a good thing I'm more than happy to help. I agree with your assessment that all CVEs are of very low impact. There's a jessie git branch you can make releases from which I can give you access to. If you need any help feel free to help. I currently don't have capacity to commit to maintaining LTS, too, as IRL tends to come in between. :) > > If you'd rather want to work on such an update yourself, you're welcome > to do so. Please send us a short notification to the debian-lts mailing > list (debian-lts@lists.debian.org), expressing your intention to work on > issues yourself. Otherwise, no action is required from your side. > > When working on issues, please try to follow the workflow we have defined > here: https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org (via a > debdiff, or with an URL pointing to the source package, or even with a > pointer to your packaging repository), and the members of the LTS team > will take care of the rest. However please make sure to submit a tested > package. > > Thank you very much. > > Mike Gabriel, > on behalf of the Debian LTS team. > Regards, Lee
Jessie update of ansible (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/ansible We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature