From afbafe096cf53ee51f068843bffd0d9a5c73f0c1 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 31 Oct 2023 12:42:49 -0400 Subject: [PATCH] Remove mitigation for CVE-2019-3462 apt in focal was never affected by CVE-2019-3462, so this mitigation isn't necessary. Per , the vulnerability was fixed in January 2019, while focal was released in April 2020. --- .../roles/prepare-servers/tasks/main.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml index 218c491635..6158f6ea61 100644 --- a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml +++ b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml @@ -1,25 +1,6 @@ --- # Ensures that prerequisite packages for ansible and securedrop-admin install # are present -# -# Fix for CVE-2019-3462 (see https://justi.cz/security/2019/01/22/apt-rce.html) -# If apt < 1.4.9, it is vulnerable to CVE-2019-3462 and we must ensure no -# redirects are followed when updating apt via apt. -- name: Ensure apt has been updated without following redirects - raw: 'apt -o Acquire::http::AllowRedirect=false update && - apt -o Acquire::http::AllowRedirect=false --only-upgrade -y install apt' - register: _apt_upgrade_command_output_results - changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_upgrade_command_output_results.stdout" - -- name: Inform user that apt traffic is being redirected - assert: - that: - - "'302 Found' not in _apt_upgrade_command_output_results.stdout" - - "'302 Found' not in _apt_upgrade_command_output_results.stderr" - fail_msg: >- - It appears your apt traffic is being redirected. - SecureDrop cannot be installed. For details, see - https://github.com/freedomofpress/securedrop/issues/4058 - name: Install python and packages required by installer raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core mokutil