- Update to version 2.8.5:

Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
  and also available online at
  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- removed patches fixed upstream:
  + CVE-2019-10206-data-disclosure.patch
  + CVE-2019-10217-gcp-modules-sensitive-fields.patch

OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/ansible?expand=0&rev=148

CVE-2019-10206-data-disclosure.patch

@@ -1,79 +0,0 @@
-From 7138a35c2da6394accc48ccdd642a8768866170d Mon Sep 17 00:00:00 2001
-From: Brian Coca <bcoca@users.noreply.github.com>
-Date: Wed, 24 Jul 2019 16:00:20 -0400
-Subject: [PATCH] prevent templating of passwords from prompt (#59246)
-
-* prevent templating of passwords from prompt
-
-  fixes CVE-2019-10206
-
-(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
----
- .../fragments/dont_template_passwords_from_prompt.yml |  2 ++
- lib/ansible/cli/__init__.py                           |  8 ++++++++
- lib/ansible/utils/unsafe_proxy.py                     | 11 +++++++----
- 3 files changed, 17 insertions(+), 4 deletions(-)
- create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
-
---- /dev/null
-+++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
-@@ -0,0 +1,2 @@
-+bugfixes:
-+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
---- a/lib/ansible/cli/__init__.py
-+++ b/lib/ansible/cli/__init__.py
-@@ -29,6 +29,7 @@ from ansible.release import __version__
- from ansible.utils.collection_loader import set_collection_playbook_paths
- from ansible.utils.display import Display
- from ansible.utils.path import unfrackpath
-+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
- from ansible.vars.manager import VariableManager
- 
- 
-@@ -276,6 +277,13 @@ class CLI(with_metaclass(ABCMeta, object
-         except EOFError:
-             pass
- 
-+        # we 'wrap' the passwords to prevent templating as
-+        # they can contain special chars and trigger it incorrectly
-+        if sshpass:
-+            sshpass = AnsibleUnsafeBytes(sshpass)
-+        if becomepass:
-+            becomepass = AnsibleUnsafeBytes(becomepass)
-+
-         return (sshpass, becomepass)
- 
-     def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):
---- a/lib/ansible/utils/unsafe_proxy.py
-+++ b/lib/ansible/utils/unsafe_proxy.py
-@@ -53,7 +53,7 @@
- from __future__ import (absolute_import, division, print_function)
- __metaclass__ = type
- 
--from ansible.module_utils.six import string_types, text_type
-+from ansible.module_utils.six import string_types, text_type, binary_type
- from ansible.module_utils._text import to_text
- from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
- 
-@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, Ansib
-     pass
- 
- 
-+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
-+    pass
-+
-+
- class UnsafeProxy(object):
-     def __new__(cls, obj, *args, **kwargs):
-         # In our usage we should only receive unicode strings.
-         # This conditional and conversion exists to sanity check the values
-         # we're given but we may want to take it out for testing and sanitize
-         # our input instead.
--        if isinstance(obj, string_types):
--            obj = to_text(obj, errors='surrogate_or_strict')
--            return AnsibleUnsafeText(obj)
-+        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
-+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
-         return obj
- 
- 

CVE-2019-10217-gcp-modules-sensitive-fields.patch

@@ -1,39 +0,0 @@
-From 642a3b4d3133d0cff3ea5b8300757045b2bda09d Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Tue, 23 Jul 2019 14:14:13 +0530
-Subject: [PATCH] gcp_utils: Handle JSON decode exception
-
-Handle json.loads exception rather than providing stacktrace
-
-Fixes: #56269
-
-Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
----
- lib/ansible/module_utils/gcp_utils.py | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/lib/ansible/module_utils/gcp_utils.py
-+++ b/lib/ansible/module_utils/gcp_utils.py
-@@ -18,7 +18,7 @@ except ImportError:
- 
- from ansible.module_utils.basic import AnsibleModule, env_fallback
- from ansible.module_utils.six import string_types
--from ansible.module_utils._text import to_text
-+from ansible.module_utils._text import to_text, to_native
- import ast
- import os
- import json
-@@ -157,7 +157,12 @@ class GcpSession(object):
-             path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
-             return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
-         elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
--            cred = json.loads(self.module.params.get('service_account_contents'))
-+            try:
-+                cred = json.loads(self.module.params.get('service_account_contents'))
-+            except json.decoder.JSONDecodeError as e:
-+                self.module.fail_json(
-+                    msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
-+                )
-             return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
-         elif cred_type == 'machineaccount':
-             return google.auth.compute_engine.Credentials(

ansible-2.8.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:05f9ed3ca3e06dffaa87a73a8e6f7f322825bc3f609f8b71c4fe22dbbdf72abc
-size 14343746

ansible-2.8.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8e9403e755ce8ef27b6066cdd7a4c567aa80ebe2fd90d0ff8efa0a725d246986
+size 14352036

ansible-2.8.5.tar.gz.sha

@@ -0,0 +1 @@
+8e9403e755ce8ef27b6066cdd7a4c567aa80ebe2fd90d0ff8efa0a725d246986  ansible-2.8.5.tar.gz

ansible.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Sep 13 09:02:36 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>
+
+- Update to version 2.8.5:
+  Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
+  and also available online at
+  https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
+- removed patches fixed upstream:
+  + CVE-2019-10206-data-disclosure.patch
+  + CVE-2019-10217-gcp-modules-sensitive-fields.patch
+
 -------------------------------------------------------------------
 Wed Aug  7 16:30:47 CEST 2019 - Matej Cepl <mcepl@suse.com>
 

ansible.spec

@@ -36,7 +36,7 @@
 BuildArch:      noarch
 %endif
 Name:           ansible
-Version:        2.8.3
+Version:        2.8.5
 Release:        0
 Summary:        Software automation engine
 License:        GPL-3.0-or-later
@@ -44,12 +44,6 @@ Group:          Development/Languages/Python
 Url:            https://ansible.com/
 Source:         https://releases.ansible.com/ansible/ansible-%{version}.tar.gz
 Source99:       ansible-rpmlintrc
-# PATCH-FIX-UPSTREAM CVE-2019-10206-data-disclosure.patch bsc#1142690 mcepl@suse.com
-# prevent templating of passwords from prompt gh#ansible/ansible#59552
-Patch0:         CVE-2019-10206-data-disclosure.patch
-# PATCH-FIX-UPSTREAM CVE-2019-10217-gcp-modules-sensitive-fields.patch bsc#1144453+ mcepl@suse.com
-# From gh#ansible/ansible#59427 gcp modules do not flag sensitive data fields properly
-Patch1:         CVE-2019-10217-gcp-modules-sensitive-fields.patch
 # SuSE/openSuSE
 %if 0%{?suse_version}
 %if %{with python3}
@@ -136,8 +130,6 @@ like zero downtime rolling updates with load balancers.
 
 %prep
 %setup -q -n ansible-%{version}
-%patch0 -p1
-%patch1 -p1
 
 find . -name .git_keep -delete
 find contrib/ -type f -exec chmod 644 {} +