Change:
Extend the logic for custom error handling in the dnf module, so that on
newer DNF (such as DNF that ships with modern Fedora 31 container
images, and ships with RHEL 8.2) we report errors consistently with
older DNF.
Test Plan:
Ran dnf integration tests against an old Fedora 31 container image and a
brand new Fedora 32 container image; tess passed on both.
Signed-off-by: Rick Elrod <rick@elrod.me>
Change:
This corrects an incorrect CVE identifier in the changelog entry for
CVE-2020-1735.
Test Plan:
N/A
Tickets:
Refs #67793, #68720
Signed-off-by: Rick Elrod <rick@elrod.me>
* fixed fetch traversal from slurp
* ignore slurp result for dest
* fixed naming when source is relative
* added tests with fake slurp
* moved existing role tests into runme.sh
* normalized on action excepts
* moved dest transform down to when needed
* added is_subpath check
fixes#67793
CVE-2019-3828
(cherry picked from commit ba87c225cd)
* when possible, use filedescriptors from mkstemp to avoid race
* when using path strings, ensure we are always creating the file
CVE-2020-1740
Fixes#67798
Co-authored-by: samdoran
(cherry picked from commit 28f9fbdb5e)
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* update sanity
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* prevent ansible_facts injection (#68431)
- also only replace when needed
- switched from replace to index
- added test to verify bogus_facts are not accepted
CVE-2020-10684
(cherry picked from commit a9d2ceafe4)
* added to ignore
* fix vault tmpe file handling
* use local temp dir instead of system temp
* ensure each worker clears dataloader temp files
* added test for dangling temp files
* added notes to data loader
CVE-2020-10685
(cherry picked from commit 6452a82452)
* subversion module - provide password securely with svn command line option --password-from-stdin when possible, and provide a warning otherwise.
* Update lib/ansible/modules/source_control/subversion.py.
* Add a test.
Co-authored-by: Sam Doran <sdoran@redhat.com>
(cherry picked from commit d91658ec0c)
* acl: fix module failure if there're spaces in a path (#63280)
* Make acl module to work with whitespaces in path
* Added a changelog fragment
* Add quotes to changelog fragment
(cherry picked from commit 504d76e956)
* Fix tests
* Always set the discovered interpreter on the delegated host. Fixes#63180
* Make code a little more generic
* Move code into a function
* Implement some changes based on reviews
* Add changelog fragment
(cherry picked from commit 123c624)
Co-authored-by: Matt Martz <matt@sivel.net>
* avoid mkdir -p (#68921)
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion
CVE-2020-1733
fixes#67791
(cherry picked from commit 8077d8e401)
* C
* Actually inspect the paths and prevent escape
* Add integration tests
* Generate zip files for use in integration test
* Adjust error message
(cherry picked from commit d30c57ab22)
* Update tests to use RHEL 7.8.
Keeping support for RHEL 7.6 since collections are still using it.
* Fix tests for RHEL 7.7+ due to extras repo name change..
(cherry picked from commit 04edd77c42)
Co-authored-by: Matt Clay <mclay@redhat.com>
* add changelog fragment
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update changelogs/fragments/ansible-test-opensuse-15.1.yml
Co-Authored-By: Matt Clay <matt@mystile.com>
* handle installing mysql on suse
Signed-off-by: Rick Elrod <rick@elrod.me>
* attempt to get tests passing again
Signed-off-by: Rick Elrod <rick@elrod.me>
* Update docker.txt to use the OpenSUSE 15.1 container image
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Matt Clay <matt@mystile.com>
https://github.com/ansible/ansible/pull/67577/files broke OpenStack
modules in Ansible 2.8.9. The problem is that min_version should be a
string, since it is passed to StrictVersion(). However, after that
change min_version ends up as a StrictVersion. This causes a TypeError
when later used to instantiate another StrictVersion:
TypeError: expected string or buffer
This change fixes the issue by ensuring min_version is a string. This
change is not required on other branches since the relevant code was
applied only in the 2.8 backport.
Fixes: #68042
* openssl_* modules: prevent crash on fingerprint determination in FIPS mode.
* Add changelog.
(cherry picked from commit ca57871954)
Co-authored-by: Felix Fontein <felix@fontein.de>
To make use of the port_security_enabled [a] parameter, [b] needs
to be present in the openstacksdk or the os_network module will
return an error like:
TypeError: create_network() got an unexpected keyword argument 'port_security_enabled'
To handle this, we fail the module if one of the arguments are used
and the minimum openstacksdk version for that argument is not met.
[a] eaf238b033
[b] 8eb788af07
Backport-of: https://review.opendev.org/708119Fixes: #62062
Up until now, nios_txt_record assumed that the name and view
parameters uniquely described a TXT record. What this meant is that it
was impossible to have more than one TXT record with a certain name.
Changes in this commit expands the set of parameters that uniquely
identify the TXT record with a text field.
* [stable-2.8] Remove Tower module tests from CI. (#67368)
* Remove Tower module tests from CI.
The required AMIs are no longer available.
* Mark Tower tests as unsupported..
(cherry picked from commit b041d96762)
Co-authored-by: Matt Clay <mclay@redhat.com>
* Mark tower_common unsupported.
* ansible-test - add constraint for virtualenv
* Limit virtualenv only on macOS.
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit 8f296a6533)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Add constraint for Jinja2 on Python 2.6.
* Fix constraint in inventory_aws_conformance test.
* Add constrraints for template_jinja2_latest test.
(cherry picked from commit 965854fbd2)
Co-authored-by: Matt Clay <matt@mystile.com>
* Add test constraint for setuptools.
* Update pip test to work on centos6 container.
(cherry picked from commit 51e5b714e0)
Co-authored-by: Matt Clay <matt@mystile.com>
* yum - only instantiate YumBase once (#63713)
* yum - only instantiate YumBase once
Previously, this code was re-instantiating the `YumBase` object
many times which is unnecessary and slow. However, we must do it
twice in the `state: absent` case because the `yumSack` and
`rpmSack` data of the previously instantiated object becomes
invalid and is no longer useful post transaction when we verify
that the package removal did in fact take place. Also, this patch
removes the repetitive re-processing of enable/disable of repos in
various places.
Here's a display of the speed increase against a RHEL7 host:
```yaml
- hosts: rhel7
remote_user: root
tasks:
- name: Install generic packages
yum:
state: present
name:
- iptraf-ng
- screen
- erlang
- name: Remove generic packages
yum:
state: absent
name:
- iptraf-ng
- screen
- erlang
```
Before this patch:
```
real 0m52.728s
user 0m5.645s
sys 0m0.482s
```
After this patch:
```
real 0m17.139s
user 0m3.238s
sys 0m0.277s
```
Fixes#63588Fixes#63551
Signed-off-by: Adam Miller <admiller@redhat.com>
* add changelog
Signed-off-by: Adam Miller <admiller@redhat.com>
* YUM - handle enable of non-existent repo (#53286)
* Ensure `allow_duplicates: true` enables to run single role multiple times(#64902)
* Changed return value in `_load_roles` . Fixes#64902
* Add changelog fragment
* Add an integration test for the issue
* Fix changelog generation error and integration test.
* Fix yaml syntax error in changelog fragment
* Fix typo in a changelog fragment of #64902
(cherry picked from commit daecbb9bf0)
(cherry picked from commit 33094e6c8e)
* Fix multiple subnet (of same IP version) idempotence for docker_network.
* Add changelog.
* Unit tests no longer make sense, since the part of the code they test has been removed.
* Re-add CIDR validation. Move it to better position (module setup instead of idempotence check).
* Update changelog.
* Only run new tests on VM test images.
* Actually do what is documented. Especially since an empty object is a valid value for aux_addresses.
(cherry picked from commit 17ef253ad1)
* #65993 - update restart policy (restart policy & restart retries) without restarting the container
* - proper indentation on the continuation-line
- set restart_policy to the correct value independent from the api version
* - move restart_policy definitions into the if block
- add a new variable for the restart_policy configuration value
* add changelog fragment
* typo; minus -> underscore
* rename changelog fragment to contain the correct module name
* rename restart_policy_config_value to just restart_policy and refer to the correct dict values
(cherry picked from commit 02c126f5ee)
Rick Elrod