diff --git a/.gitignore b/.gitignore index ba7cd97..475df31 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,5 @@ /ansible-unittests-2.1.2.0.tar.xz /ansible-unittests-2.2.0.0.tar.xz /ansible-2.2.0.0.tar.gz +/ansible-unittests-2.2.1.0.tar.xz +/ansible-2.2.1.0.tar.gz diff --git a/18296.patch b/18296.patch deleted file mode 100644 index d32ca6e..0000000 --- a/18296.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 96541c0e3f55b233ac9eaf8710235fa40057f977 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Wed, 2 Nov 2016 01:59:25 +0000 -Subject: [PATCH] Fix adding the same trusted certificates multiple times - -If there is an intermittent network failure, we might be trying to reach -an URL multiple times. Without this patch, we would be re-adding the same -certificate to the OpenSSL default context multiple times. -Normally, this is no big issue, as OpenSSL will just silently ignore them, -after registering the error in its own error stack. -However, when python-cryptography initializes, it verifies that the current -error stack of the default OpenSSL context is empty, which it no longer is -due to us adding the certificates multiple times. -This results in cryptography throwing an Unknown OpenSSL Error with details: - -OpenSSLErrorWithText(code=185057381L, lib=11, func=124, reason=101, -reason_text='error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table'), - -Signed-off-by: Patrick Uiterwijk ---- - lib/ansible/module_utils/urls.py | 35 ++++++++++++++++++++++++++++------- - 1 file changed, 28 insertions(+), 7 deletions(-) - -diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py -index bef950f..c4a13bf 100644 ---- a/lib/ansible/module_utils/urls.py -+++ b/lib/ansible/module_utils/urls.py -@@ -182,6 +182,8 @@ - del libssl - - -+LOADED_VERIFY_LOCATIONS = set() -+ - HAS_MATCH_HOSTNAME = True - try: - from ssl import match_hostname, CertificateError -@@ -590,6 +592,8 @@ def get_ca_certs(self): - paths_checked.append('/etc/ansible') - - tmp_fd, tmp_path = tempfile.mkstemp() -+ to_add_fd, to_add_path = tempfile.mkstemp() -+ to_add = False - - # Write the dummy ca cert if we are running on Mac OS X - if system == 'Darwin': -@@ -608,13 +612,21 @@ def get_ca_certs(self): - if os.path.isfile(full_path) and os.path.splitext(f)[1] in ('.crt','.pem'): - try: - cert_file = open(full_path, 'rb') -- os.write(tmp_fd, cert_file.read()) -- os.write(tmp_fd, b('\n')) -+ cert = cert_file.read() - cert_file.close() -+ os.write(tmp_fd, cert) -+ os.write(tmp_fd, b('\n')) -+ if full_path not in LOADED_VERIFY_LOCATIONS: -+ to_add = True -+ os.write(to_add_fd, cert) -+ os.write(to_add_fd, b('\n')) -+ LOADED_VERIFY_LOCATIONS.add(full_path) - except (OSError, IOError): - pass - -- return (tmp_path, paths_checked) -+ if not to_add: -+ to_add_path = None -+ return (tmp_path, to_add_path, paths_checked) - - def validate_proxy_response(self, response, valid_codes=[200]): - ''' -@@ -643,17 +655,18 @@ def detect_no_proxy(self, url): - return False - return True - -- def _make_context(self, tmp_ca_cert_path): -+ def _make_context(self, to_add_ca_cert_path): - context = create_default_context() -- context.load_verify_locations(tmp_ca_cert_path) -+ if to_add_ca_cert_path: -+ context.load_verify_locations(to_add_ca_cert_path) - return context - - def http_request(self, req): -- tmp_ca_cert_path, paths_checked = self.get_ca_certs() -+ tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs() - https_proxy = os.environ.get('https_proxy') - context = None - if HAS_SSLCONTEXT: -- context = self._make_context(tmp_ca_cert_path) -+ context = self._make_context(to_add_ca_cert_path) - - # Detect if 'no_proxy' environment variable is set and if our URL is included - use_proxy = self.detect_no_proxy(req.get_full_url()) -@@ -719,6 +732,14 @@ def http_request(self, req): - except: - pass - -+ try: -+ # cleanup the temp file created, don't worry -+ # if it fails for some reason -+ if to_add_ca_cert_path: -+ os.remove(to_add_ca_cert_path) -+ except: -+ pass -+ - return req - - https_request = http_request diff --git a/ansible-2.2.0-dnf-groups.patch b/ansible-2.2.0-dnf-groups.patch deleted file mode 100644 index 860c6b6..0000000 --- a/ansible-2.2.0-dnf-groups.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff -uNr vanilla/lib/ansible/modules/extras/packaging/os/dnf.py ansible-2.2.0.0/lib/ansible/modules/extras/packaging/os/dnf.py ---- vanilla/lib/ansible/modules/extras/packaging/os/dnf.py 2016-10-31 20:43:38.000000000 -0700 -+++ ansible-2.2.0.0/lib/ansible/modules/extras/packaging/os/dnf.py 2016-11-04 10:27:21.501410357 -0700 -@@ -179,7 +179,7 @@ - base = dnf.Base() - _configure_base(module, base, conf_file, disable_gpg_check) - _specify_repositories(base, disablerepo, enablerepo) -- base.fill_sack() -+ base.fill_sack(load_system_repo='auto') - return base - - -@@ -256,6 +256,9 @@ - - - def ensure(module, base, state, names): -+ # Accumulate failures. Package management modules install what they can -+ # and fail with a message about what they can't. -+ failures = [] - allow_erasing = False - if names == ['*'] and state == 'latest': - base.upgrade_all() -@@ -264,34 +267,70 @@ - if group_specs: - base.read_comps() - -+ pkg_specs = [p.strip() for p in pkg_specs] -+ filenames = [f.strip() for f in filenames] - groups = [] -- for group_spec in group_specs: -+ environments = [] -+ for group_spec in (g.strip() for g in group_specs): - group = base.comps.group_by_pattern(group_spec) - if group: - groups.append(group) - else: -- module.fail_json( -- msg="No group {} available.".format(group_spec)) -+ environment = base.comps.environment_by_pattern(group_spec) -+ if environment: -+ environments.append(environment.id) -+ else: -+ module.fail_json( -+ msg="No group {} available.".format(group_spec)) - - if state in ['installed', 'present']: - # Install files. -- _install_remote_rpms(base, (f.strip() for f in filenames)) -+ _install_remote_rpms(base, filenames) -+ - # Install groups. -- for group in (g.strip() for g in groups): -- base.group_install(group, const.GROUP_PACKAGE_TYPES) -+ for group in groups: -+ try: -+ base.group_install(group, const.GROUP_PACKAGE_TYPES) -+ except exceptions.Error as e: -+ # In dnf 2.0 if all the mandatory packages in a group do -+ # not install, an error is raised. We want to capture -+ # this but still install as much as possible. -+ failures.append((group, e)) -+ -+ for environment in environments: -+ try: -+ base.environment_install(environment, const.GROUP_PACKAGE_TYPES) -+ except exceptions.Error as e: -+ failures.append((group, e)) -+ - # Install packages. -- for pkg_spec in (p.strip() for p in pkg_specs): -+ for pkg_spec in pkg_specs: - _mark_package_install(module, base, pkg_spec) - - elif state == 'latest': - # "latest" is same as "installed" for filenames. - _install_remote_rpms(base, filenames) -+ - for group in groups: - try: -- base.group_upgrade(group) -- except exceptions.CompsError: -- # If not already installed, try to install. -- base.group_install(group, const.GROUP_PACKAGE_TYPES) -+ try: -+ base.group_upgrade(group) -+ except exceptions.CompsError: -+ # If not already installed, try to install. -+ base.group_install(group, const.GROUP_PACKAGE_TYPES) -+ except exceptions.Error as e: -+ failures.append((group, e)) -+ -+ for environment in environments: -+ try: -+ try: -+ base.environment_upgrade(environment) -+ except exceptions.CompsError: -+ # If not already installed, try to install. -+ base.environment_install(group, const.GROUP_PACKAGE_TYPES) -+ except exceptions.Error as e: -+ failures.append((group, e)) -+ - for pkg_spec in pkg_specs: - # best effort causes to install the latest package - # even if not previously installed -@@ -304,22 +343,41 @@ - module.fail_json( - msg="Cannot remove paths -- please specify package name.") - -- installed = base.sack.query().installed() - for group in groups: -- if installed.filter(name=group.name): -+ try: - base.group_remove(group) -+ except dnf.exceptions.CompsError: -+ # Group is already uninstalled. -+ pass -+ -+ for envioronment in environments: -+ try: -+ base.environment_remove(environment) -+ except dnf.exceptions.CompsError: -+ # Environment is already uninstalled. -+ pass -+ -+ installed = base.sack.query().installed() - for pkg_spec in pkg_specs: - if installed.filter(name=pkg_spec): - base.remove(pkg_spec) -+ - # Like the dnf CLI we want to allow recursive removal of dependent - # packages - allow_erasing = True - - if not base.resolve(allow_erasing=allow_erasing): -+ if failures: -+ module.fail_json(msg='Failed to install some of the specified packages', -+ failures=failures) - module.exit_json(msg="Nothing to do") - else: - if module.check_mode: -+ if failures: -+ module.fail_json(msg='Failed to install some of the specified packages', -+ failures=failures) - module.exit_json(changed=True) -+ - base.download_packages(base.transaction.install_set) - base.do_transaction() - response = {'changed': True, 'results': []} -@@ -328,6 +386,9 @@ - for package in base.transaction.remove_set: - response['results'].append("Removed: {0}".format(package)) - -+ if failures: -+ module.fail_json(msg='Failed to install some of the specified packages', -+ failures=failures) - module.exit_json(**response) - - diff --git a/ansible-2.2.0.0-avoid-docker-dep.patch b/ansible-2.2.0.0-avoid-docker-dep.patch deleted file mode 100644 index 320842f..0000000 --- a/ansible-2.2.0.0-avoid-docker-dep.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit b482cdcf036e372ecde744e7e4f06610344bdc55 -Author: Matt Clay -Date: Wed Nov 9 10:03:05 2016 -0800 - - Fix docker connection unit tests. - - - Use assertRaisesRegexp to make sure correct exceptions are raised. - - Set docker_command to avoid docker dependency (skips find_executable). - - Use a fake path for docker_command to make sure mock.patch is working. - - (cherry picked from commit 8552ad6bf19b7b04d57c8fa7770202cb151509af) - -diff --git a/test/units/plugins/connections/test_connection.py b/test/units/plugins/connections/test_connection.py -index c34fce1..88cda0e 100644 ---- a/test/units/plugins/connections/test_connection.py -+++ b/test/units/plugins/connections/test_connection.py -@@ -109,18 +109,21 @@ class TestConnectionBaseClass(unittest.TestCase): - @mock.patch('ansible.plugins.connection.docker.Connection._old_docker_version', return_value=('false', 'garbage', '', 1)) - @mock.patch('ansible.plugins.connection.docker.Connection._new_docker_version', return_value=('docker version', '1.2.3', '', 0)) - def test_docker_connection_module_too_old(self, mock_new_docker_verison, mock_old_docker_version): -- self.assertRaises(AnsibleError, DockerConnection, self.play_context, self.in_stream) -+ self.assertRaisesRegexp(AnsibleError, '^docker connection type requires docker 1.3 or higher$', -+ DockerConnection, self.play_context, self.in_stream, docker_command='/fake/docker') - - @mock.patch('ansible.plugins.connection.docker.Connection._old_docker_version', return_value=('false', 'garbage', '', 1)) - @mock.patch('ansible.plugins.connection.docker.Connection._new_docker_version', return_value=('docker version', '1.3.4', '', 0)) - def test_docker_connection_module(self, mock_new_docker_verison, mock_old_docker_version): -- self.assertIsInstance(DockerConnection(self.play_context, self.in_stream), DockerConnection) -+ self.assertIsInstance(DockerConnection(self.play_context, self.in_stream, docker_command='/fake/docker'), -+ DockerConnection) - - # old version and new version fail - @mock.patch('ansible.plugins.connection.docker.Connection._old_docker_version', return_value=('false', 'garbage', '', 1)) - @mock.patch('ansible.plugins.connection.docker.Connection._new_docker_version', return_value=('false', 'garbage', '', 1)) - def test_docker_connection_module_wrong_cmd(self, mock_new_docker_version, mock_old_docker_version): -- self.assertRaises(AnsibleError, DockerConnection, self.play_context, self.in_stream) -+ self.assertRaisesRegexp(AnsibleError, '^Docker version check (.*?) failed: ', -+ DockerConnection, self.play_context, self.in_stream, docker_command='/fake/docker') - - # def test_winrm_connection_module(self): - # self.assertIsInstance(WinRmConnection(), WinRmConnection) diff --git a/ansible.spec b/ansible.spec index 5b1e117..cc1334b 100644 --- a/ansible.spec +++ b/ansible.spec @@ -13,14 +13,14 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot Name: ansible Summary: SSH-based configuration management, deployment, and task execution system -Version: 2.2.0.0 -Release: 4%{?dist} +Version: 2.2.1.0 +Release: 1%{?dist} Group: Development/Libraries License: GPLv3+ Source0: http://releases.ansible.com/ansible/%{name}-%{version}.tar.gz # To retrieve the unittests, run: -# ./get-unittests.sh 2.1.2.0 v2.1.2.0-1 +# ./get-unittests.sh 2.2.1.0 v2.2.1.0-1 # Replace the first parameter with the version you want in the tarball name # Replace the second parameter with the git tag or hash that you want to sync with Source1: ansible-unittests-%{version}.tar.xz @@ -31,28 +31,6 @@ Source100: get-unittests.sh # Upstream issue: https://github.com/ansible/ansible/issues/11536 Patch0: ansible-2.1.0.0-control_path.patch -# -# fix issue with openssl and python-cryptography that breaks tests -# If python-cryptography is pulled in and openssl is 1.0.x one of the tests will -# leave things in an error state due to no network access in koji and cause a later -# test to completely fail due to this. -# -Patch1: https://patch-diff.githubusercontent.com/raw/ansible/ansible/pull/18296.patch - -# -# fix issue with dnf module and instaling groups -# https://github.com/ansible/ansible-modules-extras/issues/3358 -# These two upstream commits: -# 6eb59a4fa249ff41755d3f736734ef2752000136 -# 18bb736cc26fb6b40da25da4349ae900ed9b489b -Patch2: ansible-2.2.0-dnf-groups.patch - -# fix unit tests to skip tests for docker if docker is not available. -# Already upsreamed -# b482cdcf036e372ecde744e7e4f06610344bdc55 -# 8552ad6bf19b7b04d57c8fa7770202cb151509af -Patch3: ansible-2.2.0.0-avoid-docker-dep.patch - # Patch to utilize a newer jinja2 package on epel6 # Non-upstreamable as it creates a dependency on a specific version of jinja. # This is desirable for us as we have packages for that version but not for @@ -157,16 +135,12 @@ are transferred to managed machines automatically. %patch0 -p1 %endif -%patch1 -p1 -%patch2 -p1 - %if 0%{?rhel} == 6 %patch100 -p1 %endif # Unittests tar -xJvf %{SOURCE1} -%patch3 -p1 %build %{__python2} setup.py build @@ -200,6 +174,11 @@ rm -rf $RPM_BUILD_ROOT %doc %{_mandir}/man1/ansible* %changelog +* Mon Jan 16 2017 Kevin Fenzi - 2.2.1.0-1 +- Update to 2.2.1. +- Fixes: CVE-2016-9587 CVE-2016-8647 CVE-2016-9587 CVE-2016-8647 +- Fixes bug #1405110 + * Wed Nov 09 2016 Kevin Fenzi - 2.2.0.0-3 - Update unit tests that will skip docker related tests if docker isn't available. - Drop docker BuildRequires. Fixes bug #1392918 diff --git a/sources b/sources index d6fc8cf..ceb9825 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -e096bcdbf1d7a424149ed6480033c7b7 ansible-unittests-2.2.0.0.tar.xz -a19999efedc1b97b91250cda5df73f8a ansible-2.2.0.0.tar.gz +SHA512 (ansible-unittests-2.2.1.0.tar.xz) = 8577c0b8b18345cf4c60000119fee1c8cd5a4209a17cc7a616df90cf2eb90f8b6efa70718aa39e87472a72337336471e8ebe1038b35121b3c77a944bc26f5a15 +SHA512 (ansible-2.2.1.0.tar.gz) = 10f90f4ac68215febd14e36fa9ea3b2156677f2b7a29a08633e0702bcbd8a7c3551980deeabcff756380b076ac7ba6a5e9eca07af66d908d8d6627390744bc00