sysutils/ansible: Multiple Vulnerabilities fix

- Update ansible 2.8.7=>2.8.11 - Update ansible27 2.7.15=>2.7.17 - For ansible27 add fixes [1] - Rudimentary detection of the virtual platforms - playbook hangs without ASSUME_ALWAYS_YES for pkgng - Fix zpool snapshot cloning - Fix `doas` password authentication - Mark ansible26, ansible25, ansible24 and ansible23 DEPRECATED without EXPIRATION_DATE for MFH PR: 241734 233970 [1] Submitted by: timur [1] Reported by: ncrogers@gmail.com Approved by: portmgr (maintainer timeout, > 14 days) MFH: 2020Q2 (bugfix release) Security: CVE-2020-1737 Security: CVE-2020-1739 Security: CVE-2020-1740
svn path=/head/; revision=531978
2024-12-04 01:48:54 +00:00 · 2020-04-17 22:31:56 +00:00 · 2020-04-17 22:31:56 +00:00 · 66c197687d · 2021-03-31 03:12:20 +00:00
commit 66c197687d
parent 0ed4a68569
9 changed files with 102 additions and 9 deletions
--- a/sysutils/ansible/Makefile
+++ b/sysutils/ansible/Makefile
@ -1,7 +1,7 @@
 # $FreeBSD$

 PORTNAME=	ansible
-PORTVERSION?=	2.8.7
+PORTVERSION?=	2.8.11
 PORTREVISION?=	0
 CATEGORIES=	sysutils python
 MASTER_SITES=	http://releases.ansible.com/ansible/
--- a/sysutils/ansible/distinfo
+++ b/sysutils/ansible/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1577375349
-SHA256 (ansible-2.8.7.tar.gz) = 828239ca2b4d92865a00ab415caa932700f7c93f3e4838ddd55614ddf104c947
-SIZE (ansible-2.8.7.tar.gz) = 12697144
+TIMESTAMP = 1587131533
+SHA256 (ansible-2.8.11.tar.gz) = 156caa8b6c60b9f0d5c7d57ee0f4e46d8e226147b58546be6a8ac52925a9c191
+SIZE (ansible-2.8.11.tar.gz) = 12712657
--- a/sysutils/ansible/files/extra-patch-27
+++ b/sysutils/ansible/files/extra-patch-27
@ -0,0 +1,84 @@
+--- lib/ansible/module_utils/facts/virtual/freebsd.py.orig	2020-04-17 14:07:09 UTC
+++ lib/ansible/module_utils/facts/virtual/freebsd.py
+@@ -19,9 +19,11 @@ __metaclass__ = type
+ import os
+ 
+ from ansible.module_utils.facts.virtual.base import Virtual, VirtualCollector
+# Rudimentary detection of the virtual platforms, more through version is coming. Catches VMWare at minimum.
+from ansible.module_utils.facts.virtual.sysctl import VirtualSysctlDetectionMixin
+ 
+ 
+-class FreeBSDVirtual(Virtual):
+class FreeBSDVirtual(Virtual, VirtualSysctlDetectionMixin):
+     """
+     This is a FreeBSD-specific subclass of Virtual.  It defines
+     - virtualization_type
+@@ -34,6 +36,9 @@ class FreeBSDVirtual(Virtual):
+         # Set empty values as default
+         virtual_facts['virtualization_type'] = ''
+         virtual_facts['virtualization_role'] = ''
+
+        virtual_product_facts = self.detect_virt_product('hw.hv_vendor')
+        virtual_facts.update(virtual_product_facts)
+ 
+         if os.path.exists('/dev/xen/xenstore'):
+             virtual_facts['virtualization_type'] = 'xen'
+--- lib/ansible/modules/packaging/os/pkgng.py.orig	2020-04-17 14:07:10 UTC
+++ lib/ansible/modules/packaging/os/pkgng.py
+@@ -201,13 +201,17 @@ def install_packages(module, pkgng_path, packages, cac
+ 
+     # This environment variable skips mid-install prompts,
+     # setting them to their default values.
+-    batch_var = 'env BATCH=yes'
+    # There is at least one case, when upgrading from 11.1 to 11.2 when pkg asks extra 
+    # question about OS version mismatch in the repository. As this isn't handled, playbook
+    # hangs forever. Adding ASSUME_ALWAYS_YES to the environment addresses that, and
+    # possibly other potential issues.
+    batch_var = 'env BATCH=yes ASSUME_ALWAYS_YES=yes'
+ 
+     if not module.check_mode and not cached:
+         if old_pkgng:
+-            rc, out, err = module.run_command("%s %s update" % (pkgsite, pkgng_path))
+            rc, out, err = module.run_command("%s %s %s update" % (batch_var, pkgsite, pkgng_path))
+         else:
+-            rc, out, err = module.run_command("%s %s update" % (pkgng_path, dir_arg))
+            rc, out, err = module.run_command("%s %s %s update" % (batch_var, pkgng_path, dir_arg))
+         if rc != 0:
+             module.fail_json(msg="Could not update catalogue")
+ 
+--- lib/ansible/modules/storage/zfs/zfs.py.orig	2020-04-17 14:07:11 UTC
+++ lib/ansible/modules/storage/zfs/zfs.py
+@@ -102,7 +102,15 @@ class Zfs(object):
+         self.changed = False
+         self.zfs_cmd = module.get_bin_path('zfs', True)
+         self.zpool_cmd = module.get_bin_path('zpool', True)
+-        self.pool = name.split('/')[0]
+        # - name: Create a new file system by cloning a snapshot
+        # zfs:
+        #   name: rpool/cloned_fs
+        #   state: present
+        #   origin: rpool@mysnapshot
+        #
+        # doesn't work properly, as code assumes that there is at least one level of hierarchy
+        # in zpool. But that's not always the case - pool may be dataset as well and have a snapshot.
+        self.pool = name.split('@')[0].split('/')[0]
+         self.is_solaris = os.uname()[0] == 'SunOS'
+         self.is_openzfs = self.check_openzfs()
+         self.enhanced_sharing = self.check_enhanced_sharing()
+--- lib/ansible/playbook/play_context.py.orig	2020-04-17 14:07:10 UTC
+++ lib/ansible/playbook/play_context.py
+@@ -528,8 +528,13 @@ class PlayContext(Base):
+                 becomecmd = cmd
+ 
+             elif self.become_method == 'doas':
+                # `doas` support in ansible is broken ATM, doesn't handle password
+                # authentication properly, cause assumes only challenge-respond auth.
+                # This patch should handle both ways properly.
+                def detect_doas_prompt(b_data):
+                    return re.match(b"[Pp]assword:", b_data)
+ 
+-                prompt = 'doas (%s@' % self.remote_user
+                prompt = detect_doas_prompt
+                 exe = self.become_exe or 'doas'
+ 
+                 if not self.become_pass:
--- a/sysutils/ansible23/Makefile
+++ b/sysutils/ansible23/Makefile
@ -14,6 +14,8 @@ CONFLICTS=	ansible-* \
 MASTERDIR=	${.CURDIR}/../ansible
 DISTINFO_FILE=	${.CURDIR}/distinfo

+DEPRECATED=	Upstream support ended. Consider upgrading to sysutils/ansible
+
 RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}Jinja2>0:devel/py-Jinja2@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}jmespath>0:devel/py-jmespath@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}netaddr>0:net/py-netaddr@${PY_FLAVOR} \
--- a/sysutils/ansible24/Makefile
+++ b/sysutils/ansible24/Makefile
@ -14,6 +14,8 @@ CONFLICTS=	ansible-* \
 MASTERDIR=	${.CURDIR}/../ansible
 DISTINFO_FILE=	${.CURDIR}/distinfo

+DEPRECATED=	Upstream support ended. Consider upgrading to sysutils/ansible
+
 EXTRA_PATCHES=

 .include "${MASTERDIR}/Makefile"
--- a/sysutils/ansible25/Makefile
+++ b/sysutils/ansible25/Makefile
@ -14,6 +14,8 @@ CONFLICTS=	ansible-* \
 MASTERDIR=	${.CURDIR}/../ansible
 DISTINFO_FILE=	${.CURDIR}/distinfo

+DEPRECATED=	Upstream support ended. Consider upgrading to sysutils/ansible
+
 EXTRA_PATCHES=

 .include "${MASTERDIR}/Makefile"
--- a/sysutils/ansible26/Makefile
+++ b/sysutils/ansible26/Makefile
@ -13,6 +13,8 @@ CONFLICTS=	ansible-* \
 MASTERDIR=	${.CURDIR}/../ansible
 DISTINFO_FILE=	${.CURDIR}/distinfo

+DEPRECATED=	Upstream support ended. Consider upgrading to sysutils/ansible
+
 EXTRA_PATCHES=	${FILESDIR}/extra-patch-sesu

 .include "${MASTERDIR}/Makefile"
--- a/sysutils/ansible27/Makefile
+++ b/sysutils/ansible27/Makefile
@ -1,6 +1,6 @@
 # $FreeBSD$

-PORTVERSION=	2.7.15
+PORTVERSION=	2.7.17
 PKGNAMESUFFIX=	27

 CONFLICTS=	ansible-* \
@ -13,6 +13,7 @@ CONFLICTS=	ansible-* \
 MASTERDIR=	${.CURDIR}/../ansible
 DISTINFO_FILE=	${.CURDIR}/distinfo

-EXTRA_PATCHES=	${FILESDIR}/extra-patch-sesu
+EXTRA_PATCHES=	${FILESDIR}/extra-patch-sesu \
+		${FILESDIR}/extra-patch-27

 .include "${MASTERDIR}/Makefile"
--- a/sysutils/ansible27/distinfo
+++ b/sysutils/ansible27/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1577375263
-SHA256 (ansible-2.7.15.tar.gz) = 99bf683d069b3f73704182ece95b6618ae2090594a66e146f4d286c0cac858ce
-SIZE (ansible-2.7.15.tar.gz) = 10205890
+TIMESTAMP = 1587128349
+SHA256 (ansible-2.7.17.tar.gz) = 9fdb79c43f7ad972dc7ccff8a4e9553d623e52dc80b802c619568d3c38f94ccc
+SIZE (ansible-2.7.17.tar.gz) = 10215119