Merge pull request #1147 from stackhpc/2023.1-cve-2024-6387

MoteHue · Alex-Welsh · commit 864b7aa8be8d · 2024-07-12T11:41:40.000+01:00
CVE-2024-6387 use custom apt repo
diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml
@@ -56,8 +56,18 @@ stackhpc_apt_repositories:
     suites: "{{ ansible_facts.distribution_release }}-security"
     components: main restricted universe multiverse
     architecture: amd64
-  - url: "{{ stackhpc_repo_docker_ce_ubuntu_url }}"
-    suites: "{{ ansible_facts.distribution_release }}"
+  - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}"
+    suites: "pulp"
+    components: upload
+    architecture: amd64
+    trusted: yes
+  - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url }}"
+    suites: "focal"
+    components: stable
+    signed_by: docker.asc
+    architecture: amd64
+  - url: "{{ stackhpc_repo_docker_ce_ubuntu_jammy_url }}"
+    suites: "jammy"
     components: stable
     signed_by: docker.asc
     architecture: amd64
diff --git a/etc/kayobe/environments/ci-aio/stackhpc-ci.yml b/etc/kayobe/environments/ci-aio/stackhpc-ci.yml
@@ -50,7 +50,9 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream__openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"
diff --git a/etc/kayobe/environments/ci-builder/stackhpc-ci.yml b/etc/kayobe/environments/ci-builder/stackhpc-ci.yml
@@ -73,7 +73,9 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"
diff --git a/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml b/etc/kayobe/environments/ci-multinode/stackhpc-ci.yml
@@ -47,7 +47,9 @@ stackhpc_repo_ubuntu_focal_version: "{{ stackhpc_pulp_repo_ubuntu_focal_version
 stackhpc_repo_ubuntu_focal_security_version: "{{ stackhpc_pulp_repo_ubuntu_focal_security_version }}"
 stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_pulp_repo_ubuntu_jammy_security_version }}"
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: ""
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
 stackhpc_repo_centos_stream_9_nfv_openvswitch_version: "{{ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version }}"
 stackhpc_repo_centos_stream_9_openstack_yoga_version: "{{ stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version }}"
 stackhpc_repo_centos_stream_9_opstools_version: "{{ stackhpc_pulp_repo_centos_stream_9_opstools_version }}"
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -16,7 +16,8 @@ stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20230929T005202
 stackhpc_pulp_repo_centos_stream_9_openstack_yoga_version: 20231005T010906
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20230615T071742
 stackhpc_pulp_repo_centos_stream_9_storage_ceph_pacific_version: 20230709T010022
-stackhpc_pulp_repo_docker_ce_ubuntu_version: 20231020T014922
+stackhpc_pulp_repo_docker_ce_ubuntu_focal_version: 20231020T014922
+stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version: 20231020T014922
 stackhpc_pulp_repo_docker_version: 20230919T015626
 stackhpc_pulp_repo_elasticsearch_logstash_kibana_7_x_version: 20231012T003815
 stackhpc_pulp_repo_elrepo_9_version: 20230907T075311
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
@@ -123,14 +123,30 @@ stackhpc_pulp_deb_repos:
     distributions: "jammy-security"
     required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
 
+  - name: "Ubuntu jammy CVE-2024-6387"
+    url: "{{ stackhpc_release_pulp_content_url }}/ubuntu-jammy-cve-2024-6387/"
+    distribution_name: "ubuntu-jammy-cve-2024-6387-"
+    base_path: "ubuntu-jammy-cve-2024-6387/"
+    components: "upload"
+    distributions: "pulp"
+    required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
+
   # Third-party repositories
-  - name: "Docker CE for Ubuntu"
-    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu/{{ stackhpc_pulp_repo_docker_ce_ubuntu_version }}"
-    distribution_name: "docker-ce-for-ubuntu-"
-    base_path: "docker-ce/ubuntu/"
-    distributions: "focal jammy"
+  - name: "Docker CE for Ubuntu Focal"
+    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-focal/{{ stackhpc_pulp_repo_docker_ce_ubuntu_focal_version }}"
+    distribution_name: "docker-ce-for-ubuntu-focal-"
+    base_path: "docker-ce/ubuntu-focal/"
+    distributions: "focal"
+    components: "stable"
+    required: "{{ stackhpc_pulp_sync_ubuntu_focal | bool }}"
+
+  - name: "Docker CE for Ubuntu Jammy"
+    url: "{{ stackhpc_release_pulp_content_url }}/docker-ce/ubuntu-jammy/{{ stackhpc_pulp_repo_docker_ce_ubuntu_jammy_version }}"
+    distribution_name: "docker-ce-for-ubuntu-jammy-"
+    base_path: "docker-ce/ubuntu-jammy/"
+    distributions: "jammy"
     components: "stable"
-    required: "{{ stackhpc_pulp_sync_ubuntu_focal or stackhpc_pulp_sync_ubuntu_jammy | bool }}"
+    required: "{{ stackhpc_pulp_sync_ubuntu_jammy | bool }}"
 
 # Publication format is a subset of distribution.
 stackhpc_pulp_publication_deb_development: "{{ stackhpc_pulp_distribution_deb_development }}"
diff --git a/etc/kayobe/stackhpc.yml b/etc/kayobe/stackhpc.yml
@@ -47,13 +47,21 @@ stackhpc_repo_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}"
 stackhpc_repo_ubuntu_jammy_security_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu/jammy-security/{{ stackhpc_repo_ubuntu_jammy_security_version }}"
 stackhpc_repo_ubuntu_jammy_security_version: "{{ stackhpc_repo_distribution }}"
 
+# Ubuntu jammy CVE-3034-6287
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-jammy-cve-2024-6387/{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_version }}"
+stackhpc_repo_ubuntu_jammy_cve_2024_6387_version: "{{ stackhpc_repo_distribution }}"
+
 # Ubuntu Cloud Archive
 stackhpc_repo_ubuntu_cloud_archive_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/ubuntu-cloud-archive/{{ stackhpc_repo_ubuntu_cloud_archive_version }}"
 stackhpc_repo_ubuntu_cloud_archive_version: "{{ stackhpc_repo_distribution }}"
 
-# Docker CE for Ubuntu
-stackhpc_repo_docker_ce_ubuntu_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu/{{ stackhpc_repo_docker_ce_ubuntu_version }}"
-stackhpc_repo_docker_ce_ubuntu_version: "{{ stackhpc_repo_distribution }}"
+# Docker CE for Ubuntu Focal
+stackhpc_repo_docker_ce_ubuntu_focal_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-focal/{{ stackhpc_repo_docker_ce_ubuntu_focal_version }}"
+stackhpc_repo_docker_ce_ubuntu_focal_version: "{{ stackhpc_repo_distribution }}"
+
+# Docker CE for Ubuntu Jammy
+stackhpc_repo_docker_ce_ubuntu_jammy_url: "{{ stackhpc_repo_mirror_url }}/pulp/content/docker-ce/ubuntu-jammy/{{ stackhpc_repo_docker_ce_ubuntu_jammy_version }}"
+stackhpc_repo_docker_ce_ubuntu_jammy_version: "{{ stackhpc_repo_distribution }}"
 
 ###############################################################################
 # RPMs
diff --git a/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml b/releasenotes/notes/ubuntu-fix-cve-2024-6387-648efedaeb288023.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Adds a custom Apt repository to address `CVE-2024-6387
+    <https://ubuntu.com/security/CVE-2024-6387`__ in OpenSSH.
