Accepting request 809080 from home:mcepl:branches:systemsmanagement

- Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733 (bsc#1164140) - Add metadata information to this file to mark which SUSE bugzilla have been already fixed. - bsc#1164140 CVE-2020-1733 - insecure temporary directory when running become_user from become directive - bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe lookup plugin subprocess - bsc#1164137 CVE-2020-1735 - path injection on dest parameter in fetch module - bsc#1164134 CVE-2020-1736 atomic_move primitive sets permissive permissions - bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip module does not check extracted path - bsc#1164136 CVE-2020-1738 module package can be selected by the ansible facts - bsc#1164133 CVE-2020-1739 - svn module leaks password when specified as a parameter - bsc#1164135 CVE-2020-1740 - secrets readable after ansible-vault edit - bsc#1165393 CVE-2020-1746 - information disclosure issue in ldap_attr and ldap_entry modules - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks sensitive information - CVE-2020-10684 - code injection when using ansible_facts as a subkey - bsc#1167440 CVE-2020-10685 - modules which use files encrypted with vault are not properly cleaned up - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2] - update to version 2.9.6 (maintenance release) including OBS-URL: https://build.opensuse.org/request/show/809080 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=183
2020-05-26 21:14:44 +00:00 · 2020-05-26 21:14:44 +00:00 · 256ccae9cf
commit 256ccae9cf
parent 591334f240
4 changed files with 231 additions and 152 deletions
--- a/CVE-2020-1733_avoid_mkdir_p.patch
+++ b/CVE-2020-1733_avoid_mkdir_p.patch
@ -0,0 +1,54 @@
 From 0a85e91329d4c048e7e4b2cd478f2c17a3dac988 Mon Sep 17 00:00:00 2001
 From: Brian Coca <bcoca@users.noreply.github.com>
 Date: Mon, 13 Apr 2020 17:16:29 -0400
 Subject: [PATCH 1/4] avoid mkdir -p (#68921)
 * also consolidated temp dir name generation, added pid for more 'uniqness'
 * generalize error message
 * added notes about remote expansion
 CVE-2020-1733
 fixes #67791
 (cherry picked from commit 8077d8e40148fe77e2393caa5f2b2ea855149d63)
 ---
 changelogs/fragments/remote_mkdir_fix.yml |  2 ++
 lib/ansible/plugins/action/__init__.py    | 11 ++++++++---
 lib/ansible/plugins/shell/__init__.py     | 14 ++++++++++----
 lib/ansible/plugins/shell/powershell.py   |  2 ++
 4 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 changelogs/fragments/remote_mkdir_fix.yml
 --- /dev/null
 +++ b/changelogs/fragments/remote_mkdir_fix.yml
@@ -0,0 +1,2 @@
 +bugfixes:
 +    - Ensure we get an error when creating a remote tmp if it already exists. CVE-2020-1733
 --- a/lib/ansible/plugins/action/__init__.py
 +++ b/lib/ansible/plugins/action/__init__.py
@@ -340,7 +340,11 @@ class ActionBase(with_metaclass(ABCMeta,
         else:
             # NOTE: shell plugins should populate this setting anyways, but they dont do remote expansion, which
             # we need for 'non posix' systems like cloud-init and solaris
 -            tmpdir = self._remote_expand_user(self.get_shell_option('remote_tmp', default='~/.ansible/tmp'), sudoable=False)
 +            try:
 +                tmpdir = self._connection._shell.get_option('remote_tmp')
 +            except AnsibleError:
 +                tmpdir = '~/.ansible/tmp'
 +            tmpdir = self._remote_expand_user(tmpdir, sudoable=False)
         become_unprivileged = self._is_become_unprivileged()
         basefile = self._connection._shell._generate_temp_dir_name()
 --- a/lib/ansible/plugins/shell/__init__.py
 +++ b/lib/ansible/plugins/shell/__init__.py
@@ -79,6 +79,10 @@ class ShellBase(AnsiblePlugin):
     def _generate_temp_dir_name():
         return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
 +    @staticmethod
 +    def _generate_temp_dir_name():
 +        return 'ansible-tmp-%s-%s-%s' % (time.time(), os.getpid(), random.randint(0, 2**48))
 +
     def env_prefix(self, **kwargs):
         return ' '.join(['%s=%s' % (k, shlex_quote(text_type(v))) for k, v in kwargs.items()])
--- a/8
+++ b/8
@ -4,7 +4,7 @@ addFilter("non-executable-script.*/usr/lib/python.*/site-packages/ansible/module
 addFilter("non-executable-script.*/usr/lib/python.*/site-packages/ansible/(cli|galaxy|module_utils|plugins/action|runner|utils)/.*.py");
 # no really a lib - ignore rpmlint for this package explicitely
 addFilter("explicit-lib-dependency python3-passlib");
-# standard files, needed for python
+# # standard files, needed for python
-addFilter("files-duplicate /usr/lib/python.*/site-packages/ansible/.*");
+# addFilter("files-duplicate /usr/lib/python.*/site-packages/ansible/.*");
-# same for the ansible-test sub-package
+# # same for the ansible-test sub-package
-addFilter("files-duplicate /usr/lib/python.*/site-packages/ansible_test/.*");
+# addFilter("files-duplicate /usr/lib/python.*/site-packages/ansible_test/.*");
--- a/ansible.changes
+++ b/ansible.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Tue May 26 13:02:10 UTC 2020 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2020-1733_avoid_mkdir_p.patch to fix CVE-2020-1733
  (bsc#1164140)
 - Add metadata information to this file to mark which SUSE
  bugzilla have been already fixed.
 -------------------------------------------------------------------
 Tue May 12 23:34:59 UTC 2020 - Michael Ströder <michael@stroeder.com>
@ -15,16 +23,30 @@ Fri Apr 17 06:49:56 UTC 2020 - Michael Ströder <michael@stroeder.com>
 - update to version 2.9.7 with many bug fixes,
  especially for these security issues:
-  * CVE-2020-1733  - insecure temporary directory when running become_user from become directive
+  - bsc#1164140 CVE-2020-1733 - insecure temporary directory when
-  * CVE-2020-1735  - path injection on dest parameter in fetch module
+    running become_user from become directive
-  * CVE-2020-1737  - Extract-Zip function in win_unzip module does not check extracted path
+  - bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe
-  * CVE-2020-1739  - svn module leaks password when specified as a parameter
+    lookup plugin subprocess
-  * CVE-2020-1740  - secrets readable after ansible-vault edit
+  - bsc#1164137 CVE-2020-1735 - path injection on dest parameter
-  * CVE-2020-1746  - information disclosure issue in ldap_attr and ldap_entry modules
+    in fetch module
-  * CVE-2020-1753  - kubectl connection plugin leaks sensitive information [1]
+  - bsc#1164134 CVE-2020-1736 atomic_move primitive sets
-  * CVE-2020-10684 - code injection when using ansible_facts as a subkey
+    permissive permissions
-  * CVE-2020-10685 - modules which use files encrypted with vault are not properly cleaned up
+  - bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip
-  * CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
+    module does not check extracted path
  - bsc#1164136 CVE-2020-1738 module package can be selected by
    the ansible facts
  - bsc#1164133 CVE-2020-1739  - svn module leaks password when
    specified as a parameter
  - bsc#1164135 CVE-2020-1740 - secrets readable after
    ansible-vault edit
  - bsc#1165393 CVE-2020-1746 - information disclosure issue in
    ldap_attr and ldap_entry modules
  - bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
    sensitive information
  - CVE-2020-10684 - code injection when using ansible_facts as a subkey
  - bsc#1167440 CVE-2020-10685 - modules which use files
    encrypted with vault are not properly cleaned up
  - CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
 -------------------------------------------------------------------
 Mon Apr  6 20:45:04 UTC 2020 - lars@linux-schulserver.de - 2.9.6
@ -36,7 +58,10 @@ Mon Apr  6 20:45:04 UTC 2020 - lars@linux-schulserver.de - 2.9.6
 -------------------------------------------------------------------
 Thu Mar  5 08:23:57 UTC 2020 - Michael Ströder <michael@stroeder.com>
- update to version 2.9.6 (maintenance release)
+- update to version 2.9.6 (maintenance release) including
  these security issues:
  - bsc#1171162 CVE-2020-10729 two random password lookups in
    same task return same value
 -------------------------------------------------------------------
 Thu Feb 13 21:38:06 UTC 2020 - Michael Ströder <michael@stroeder.com>
@ -47,7 +72,12 @@ Thu Feb 13 21:38:06 UTC 2020 - Michael Ströder <michael@stroeder.com>
 Tue Jan 28 12:38:16 UTC 2020 - Michael Ströder <michael@stroeder.com>
 - update to version 2.9.4 (maintenance release)
-  fix in yum module
+  - fix in yum module
  - security fixes:
    - bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone
      module via crafted solaris zone
    - bsc#1157969 CVE-2019-14905 malicious code could craft
      filename in nxos_file_copy module
 -------------------------------------------------------------------
 Thu Jan 16 17:34:28 UTC 2020 - Michael Ströder <michael@stroeder.com>
@ -131,6 +161,8 @@ Fri Nov  1 21:11:03 UTC 2019 - Johannes Kastl <kastl@b1-systems.de>
  Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
  and also available online at
  https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
 - Fixed among other this security bug:
  - bsc#1112959 CVE-2018-16837 Information leak in "user" module patch added
 -------------------------------------------------------------------
 Sun Oct 27 14:15:53 UTC 2019 - lars@linux-schulserver.de
@ -169,6 +201,8 @@ Wed Aug  7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
 - Update to version 2.8.3:
  Full changelog is packaged, but also at
  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
  - (bsc#1137528) CVE-2019-10156: ansible: templating causing an
    unexpected key file to be set on remote node
 - (bsc#1142690) Adds CVE-2019-10206-data-disclosure.patch fixing
  CVE-2019-10206: ansible-playbook -k and ansible cli tools
  prompt passwords by expanding them from templates as they could
@ -607,6 +641,7 @@ Sun Dec 16 00:20:24 UTC 2018 - Matthias Eliasson <matthias.eliasson@gmail.com>
  * dnf module properly load and initialize dnf package manager plugins
  * docker_swarm_service: use docker defaults for the user parameter if it is set to null 
  Bugfixes:
  * bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569)
  * ACME modules: improve error messages in some cases (include error returned by server).
  * Added unit test for VMware module_utils.
  * Also check stdout for interpreter errors for more intelligent messages to user
--- a/ansible.spec
+++ b/ansible.spec
@ -1,9 +1,7 @@
 #
 # spec file for package ansible
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 # Copyright 2013 by Lars Vogdt
 # Copyright 2014 by Boris Manojlovic
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,8 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
-# Disable shebang munging for specific paths. These files are data files.
+
 # ansible-test munges the shebangs itself.
 %global __brp_mangle_shebangs_exclude_from %{_prefix}/lib/python[0-9]+\.[0-9]+/site-packages/ansible_test/_data/.*
 %if 0%{?rhel} || 0%{?fedora}
 # RHEL and Fedora add -s to the shebang line.  We do *not* use -s -E -S or -I
@ -30,42 +27,18 @@
 %define py2_shbang_opts %{nil}
 %define py3_shbang_opts %{nil}
 %endif
 # While Windows Powershell meanwhile exists, it is not in Factory/Leap for now.
 # So let's exclude /usr/bin/pwsh from the dependencies
 %define __requires_exclude ^%{_bindir}/pwsh$
 # Python 2 or Python 3?
 %if 0%{?suse_version} >= 1315
 %bcond_without  python3
 %else
 %bcond_with     python3
 %endif
 %if %{with python3}
 %define __python python3
 %define python python3
 %else
 %define python python
 %endif
 # Disable/Enable tests only on newer distributions, which have the
 # needed dependencies.
 %define with_tests 0
 Name:           ansible
 Version:        2.9.9
 Release:        0
 Summary:        SSH-based configuration management, deployment, and task execution system
 License:        GPL-3.0-or-later
 Group:          Development/Languages/Python
 URL:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source1:        https://releases.ansible.com/ansible/ansible-%{version}.tar.gz.sha
 Source99:       ansible-rpmlintrc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildArch:      noarch
 #
 # Fedora
 #
@ -92,6 +65,74 @@ Provides:       bundled(python-selectors2) = 1.1.1
 Provides:       bundled(python-six) = 1.12.0
 %endif
 #
 # RHEL
 #
 %if 0%{?rhel}
 %if 0%{?rhel} >= 8
 %global         with_python2 0
 %global         with_python3 1
 BuildRequires:  %{py3_dist coverage}
 BuildRequires:  git-core
 BuildRequires:  python3-PyYAML
 BuildRequires:  python3-cryptography
 BuildRequires:  python3-devel
 BuildRequires:  python3-docutils
 BuildRequires:  python3-jinja2
 BuildRequires:  python3-mock
 BuildRequires:  python3-pytest
 BuildRequires:  python3-pytest-mock
 BuildRequires:  python3-pytest-xdist
 BuildRequires:  python3-requests
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-six
 BuildRequires:  python3-systemd
 Requires:       python3-PyYAML
 Requires:       python3-cryptography
 Requires:       python3-jinja2
 Requires:       python3-six
 Requires:       sshpass
 %else
 %if 0%{?rhel} >= 7
 %global         with_python2 1
 %global         with_python3 0
 BuildRequires:  PyYAML
 BuildRequires:  git
 BuildRequires:  pytest
 BuildRequires:  python-boto3
 BuildRequires:  python-coverage
 BuildRequires:  python-jinja2
 BuildRequires:  python-jmespath
 BuildRequires:  python-mock
 BuildRequires:  python-paramiko
 BuildRequires:  python-passlib
 BuildRequires:  python-requests
 BuildRequires:  python-setuptools
 BuildRequires:  python-six
 BuildRequires:  python-sphinx
 BuildRequires:  python2-cryptography
 BuildRequires:  python2-devel
 Requires:       PyYAML
 Requires:       python-jinja2
 Requires:       python-paramiko
 Requires:       python-six
 Requires:       python2-cryptography
 Requires:       sshpass
 %endif  # Requires for RHEL 7
 %endif  # Requires for RHEL 8
 # Bundled provides
 Provides:       bundled(python-backports-ssl_match_hostname) = 3.7.0.1
 Provides:       bundled(python-distro) = 1.4.0
 Provides:       bundled(python-ipaddress) = 1.0.22
 Provides:       bundled(python-selectors2) = 1.1.1
 Provides:       bundled(python-six) = 1.12.0
 %endif
 %if %{with python3}
 %define __python python3
 %define python python3
 %else
 %define python python
 %endif
 #
 # SUSE/openSUSE
 #
 %if 0%{?suse_version}
@ -117,6 +158,35 @@ Provides:       bundled(python-six) = 1.12.0
 %define with_vmware 0
 %define with_tests  0
 %endif
 %if ! %{with python3}
 Requires:       %{python}-xml
 %endif
 %if 0%{?with_amazon}
 BuildRequires:  %{python}-boto3
 BuildRequires:  %{python}-botocore
 %endif
 %if 0%{?with_gitlab}
 BuildRequires:  %{python}-gitlab
 BuildRequires:  %{python}-httmock
 Recommends:     %{python}-gitlab
 Recommends:     %{python}-httmock
 %endif
 %if 0%{?with_tests}
 BuildRequires:  %{python}-pbkdf2
 BuildRequires:  %{python}-pytest
 BuildRequires:  %{python}-python-memcached
 BuildRequires:  %{python}-redis
 BuildRequires:  %{python}-requests
 %endif
 %if 0%{?with_vmware}
 BuildRequires:  %{python}-pyvmomi
 Recommends:     %{python}-pyvmomi
 %endif
 %if 0%{?with_winrm}
 BuildRequires:  %{python}-pexpect
 BuildRequires:  %{python}-pywinrm
 Recommends:     %{python}-pywinrm
 %endif
 BuildRequires:  %{python}-Jinja2
 BuildRequires:  %{python}-PyYAML
 BuildRequires:  %{python}-coverage
@ -135,112 +205,34 @@ Requires:       %{python}-paramiko
 Requires:       %{python}-passlib
 Requires:       %{python}-pycrypto >= 2.6
 Requires:       %{python}-setuptools > 0.6
 %if ! %{with python3}
 Requires:       %{python}-xml
 %endif
 Recommends:     %{python}-boto3
 Recommends:     %{python}-botocore
 Recommends:     %{python}-dnspython
 Recommends:     %{python}-dopy
 Recommends:     %{python}-httplib2
 Recommends:     %{python}-keyczar
 Recommends:     %{python}-python-memcached
 Recommends:     %{python}-pbkdf2
 Recommends:     %{python}-python-memcached
 Recommends:     %{python}-pywinrm
 Recommends:     %{python}-redis
 Recommends:     %{python}-requests
 Recommends:     %{python}-six
 Recommends:     sshpass
 %if 0%{?with_amazon}
 BuildRequires:  %{python}-boto3
 BuildRequires:  %{python}-botocore
 %endif
-%if 0%{?with_gitlab}
+Name:           ansible
-BuildRequires:  %{python}-gitlab
+Version:        2.9.9
-BuildRequires:  %{python}-httmock
+Release:        0
-Recommends:     %{python}-gitlab
+Summary:        SSH-based configuration management, deployment, and task execution system
-Recommends:     %{python}-httmock
+License:        GPL-3.0-or-later
-%endif
+Group:          Development/Languages/Python
-%if 0%{?with_tests}
+URL:            https://ansible.com/
-BuildRequires:  %{python}-python-memcached
+Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
-BuildRequires:  %{python}-pbkdf2
+Source1:        https://releases.ansible.com/ansible/ansible-%{version}.tar.gz.sha
-BuildRequires:  %{python}-pytest
+Source99:       ansible-rpmlintrc
-BuildRequires:  %{python}-redis
+# PATCH-FIX-UPSTREAM CVE-2020-1733_avoid_mkdir_p.patch bsc#1171823 mcepl@suse.com
-BuildRequires:  %{python}-requests
+# gh#ansible/ansible#67791 avoid race condition and insecure directory creation
-%endif
+Patch0:         CVE-2020-1733_avoid_mkdir_p.patch
-%if 0%{?with_vmware}
+BuildArch:      noarch
 BuildRequires:  %{python}-pyvmomi
 Recommends:     %{python}-pyvmomi
 %endif
 %if 0%{?with_winrm}
 BuildRequires:  %{python}-pywinrm
 BuildRequires:  %{python}-pexpect
 Recommends:     %{python}-pywinrm
 %endif
 %endif
 #
 # RHEL
 #
 %if 0%{?rhel}
 # Bundled provides
 Provides:       bundled(python-backports-ssl_match_hostname) = 3.7.0.1
 Provides:       bundled(python-distro) = 1.4.0
 Provides:       bundled(python-ipaddress) = 1.0.22
 Provides:       bundled(python-selectors2) = 1.1.1
 Provides:       bundled(python-six) = 1.12.0
 %if 0%{?rhel} >= 8
 %global         with_python2 0
 %global         with_python3 1
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 BuildRequires:  python3-docutils
 BuildRequires:  python3-jinja2
 BuildRequires:  python3-PyYAML
 BuildRequires:  python3-cryptography
 BuildRequires:  python3-six
 BuildRequires:  python3-pytest
 BuildRequires:  python3-pytest-xdist
 BuildRequires:  python3-pytest-mock
 BuildRequires:  python3-requests
 BUildRequires:  %{py3_dist coverage}
 BuildRequires:  python3-mock
 BuildRequires:  python3-systemd
 BuildRequires:  git-core
 Requires:       python3-jinja2
 Requires:       python3-PyYAML
 Requires:       python3-cryptography
 Requires:       python3-six
 Requires:       sshpass
 %else
 %if 0%{?rhel} >= 7
 %global         with_python2 1
 %global         with_python3 0
 BuildRequires:  python2-devel
 BuildRequires:  python-setuptools
 BuildRequires:  python-sphinx
 BuildRequires:  python-jinja2
 BuildRequires:  PyYAML
 BuildRequires:  python2-cryptography
 BuildRequires:  python-six
 BuildRequires:  pytest
 BuildRequires:  python-requests
 BuildRequires:  python-coverage
 BuildRequires:  python-mock
 BuildRequires:  python-boto3
 BuildRequires:  git
 BuildRequires:  python-paramiko
 BuildRequires:  python-jmespath
 BuildRequires:  python-passlib
 Requires:       python-jinja2
 Requires:       PyYAML
 Requires:       python2-cryptography
 Requires:       python-six
 Requires:       sshpass
 Requires:       python-paramiko
 %endif  # Requires for RHEL 7
 %endif  # Requires for RHEL 8
 %endif
 # extented documentation
 %if 0%{?with_docs}
 BuildRequires:  asciidoc
@ -256,7 +248,6 @@ not require any software or daemons to be installed on remote nodes. Extension
 modules can be written in any language and are transferred to managed machines
 automatically.
 %package doc
 Summary:        Documentation for Ansible
 Recommends:     %{name} = %{version}
@ -270,7 +261,6 @@ not require any software or daemons to be installed on remote nodes. Extension
 modules can be written in any language and are transferred to managed machines
 automatically.
 %package test
 Summary:        Tool for testing ansible plugin and module code
 Requires:       %{name} = %{version}
@ -278,18 +268,17 @@ Requires:       %{name} = %{version}
 # RHEL
 #
 %if 0%{?rhel} >= 7
 Requires:       python-virtualenv
 BuildRequires:  python-virtualenv
 Requires:       python-virtualenv
 %endif
 #
 # SUSE/openSUSE
 #
 %if 0%{?suse_version} >= 1500
 Requires:       %{python}-virtualenv
 BuildRequires:  %{python}-virtualenv
 Requires:       %{python}-virtualenv
 %endif
 %description test
 This package installs the ansible-test command for testing modules and plugins
 developed for ansible.
@ -300,9 +289,10 @@ not require any software or daemons to be installed on remote nodes. Extension
 modules can be written in any language and are transferred to managed machines
 automatically.
 %prep
 %setup -q -n ansible-%{version}
 %autopatch -p1
 for file in .git_keep .travis.yml ; do
  find . -name "$file" -delete
 done
@ -314,15 +304,15 @@ find ./ -type f -exec \
 %build
-%{__python} setup.py build
+%{python} setup.py build
 %if 0%{?with_docs}
-  make %{?_smp_mflags} PYTHON=%{_bindir}/%{python} SPHINXBUILD=sphinx-build webdocs
+  %make_build PYTHON=%{_bindir}/%{python} SPHINXBUILD=sphinx-build webdocs
 %else
-  make %{?_smp_mflags} PYTHON=%{_bindir}/%{python} -Cdocs/docsite config cli keywords modules plugins testing
+  %make_build PYTHON=%{_bindir}/%{python} -Cdocs/docsite config cli keywords modules plugins testing
 %endif
 %install
-%{__python} setup.py install --prefix=%{_prefix} --root=%{buildroot}
+%{python} setup.py install --prefix=%{_prefix} --root=%{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/ansible/
 cp examples/hosts %{buildroot}%{_sysconfdir}/ansible/
@ -386,7 +376,7 @@ cp -pr docs/docsite/rst .
 %if 0%{?with_tests} &&  0%{with python3}
 %check
-%{__python3} bin/ansible-test units -v --python %{python3_version}
+python3 bin/ansible-test units -v --python %{python3_version}
 %endif