Hi everyone,
In May I worked on ansible/buster, fixing the following CVEs:
- CVE-2020-1737
- CVE-2023-4237
- CVE-2023-5764
- CVE-2024-0690
- CVE-2024-8775
- CVE-2024-11079
The difficulty of backporting them was that ansible 2.7 still has to
maintain python2/3 compatibility, so all patches needed to be adopted.
The two templating bugs (CVE-2023-5764 and CVE-2024-11079) were especially
difficult to backport since the templating engine went through significant
changes between 2.7 and 2.14. I hit a unrelated templating bug in the tests
(range objects are lazy evaluated in 2.7 and cannot be iterated over), and also
a bug in bullseye's jinja2 that affected the integration tests (that I could
luckily work around). It helped that jochensp and I already backported the
latter CVE for bullseye.
CVE-2024-0690 is a small fix but basically had to be written from scratch
because the inheritance mechanism is different; reading up and understanding
the code took quite a while compared to the LoC change.
I also attended the LTS meeting.
Thanks to our sponsors for financing this work, and to Freexian for
coordinating!
Regards,
Lee Garrett,
Debian LTS Team