Hi everyone,

In May I worked on ansible/buster, fixing the following CVEs:
- CVE-2020-1737
- CVE-2023-4237
- CVE-2023-5764
- CVE-2024-0690
- CVE-2024-8775
- CVE-2024-11079

The difficulty of backporting them was that ansible 2.7 still has to
maintain python2/3 compatibility, so all patches needed to be adopted.

The two templating bugs (CVE-2023-5764 and CVE-2024-11079) were especially difficult to backport since the templating engine went through significant changes between 2.7 and 2.14. I hit a unrelated templating bug in the tests (range objects are lazy evaluated in 2.7 and cannot be iterated over), and also a bug in bullseye's jinja2 that affected the integration tests (that I could luckily work around). It helped that jochensp and I already backported the latter CVE for bullseye.

CVE-2024-0690 is a small fix but basically had to be written from scratch
because the inheritance mechanism is different; reading up and understanding
the code took quite a while compared to the LoC change.

I also attended the LTS meeting.

Thanks to our sponsors for financing this work, and to Freexian for 
coordinating!

Regards,
Lee Garrett,
Debian LTS Team

Reply via email to