CVE-2024-6387 use custom apt repo

MoteHue · MoteHue · commit 85ef912aa856 · 2024-07-12T09:35:04.000+01:00
diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml
@@ -56,6 +56,11 @@ stackhpc_apt_repositories:
     suites: "{{ ansible_facts.distribution_release }}-security"
     components: main restricted universe multiverse
     architecture: amd64
+  - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}"
+    suites: "pulp"
+    components: upload
+    architecture: amd64
+    trusted: yes
   - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}"
     suites: "{{ ansible_facts.distribution_release }}"
     components: stable
diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml
@@ -50,6 +50,7 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
 stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}"
diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml
@@ -73,6 +73,7 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
 stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml
@@ -47,6 +47,7 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
 stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -123,6 +123,14 @@ stackhpc_pulp_deb_repos:
     distributions: "jammy-security"
     required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
 
+  - name: "Ubuntu jammy CVE-2024-6387"
+    url: "{{ stackhpc_release_pulp_content_url }}/ubuntu-jammy-cve-2024-6387/"
+    distribution_name: "ubuntu-jammy-cve-2024-6387-"
+    base_path: "ubuntu-jammy-cve-2024-6387/"
+    components: "upload"
+    distributions: "pulp"
+    required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
+
   # Third-party repositories
   - name: "Docker CE for Ubuntu"
     url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
@@ -47,6 +47,10 @@ stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_ubuntu_jammy_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu/jammy-security/{{ stackhpc_repo_ubuntu_jammy_security_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_repo_distribution }}"
 
+# Ubuntu jammy CVE-3034-6287
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-jammy-cve-2024-6387/{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution }}"
+
 # Ubuntu Cloud Archive
 stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}"
 stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}"
diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds a custom Apt repository to address `CVE-2024-6387
+    <https://ubuntu.com/security/CVE-2024-6387`__ in OpenSSH.
