Please backport ansible 1.4.3+dfsg-1 (universe) from trusty

Trusty has 1.4.0 now.

We should backport it al lthe way to precise as the current version in backports has some security issues, notably:

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4259
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4260
- https://access.redhat.com/security/cve/CVE-2013-2233

I build and tested 1.4.0 and it works fine for me. I will update the description of the bugreport to reflect this.

I can push 1.4 into saucy-backports (and eventually the other releases) but the security fix should really end up in saucy-security too.

http://blog.ansibleworks.com/2013/11/21/ansible-1-4-released/

@Felix: Thanks, it would be nice get 1.4 into backports.

As for the security issue, I opened a bug some days ago:
  https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1256068
once I find the diff I will work on a debdiff for this too.

We should also backport to the other ubuntu versions. I am happy to do the testing there too.

Hello - is there anything I can do to help this backport along?

It would be really great if a more recent version of ansible could be made available via backports.

Oops sorry, will look in a minute.

Yep, looks good - accepted. Thanks.

Iain, is there a service to check package version against upstream and request backport for minor versions from web interface?

On Tue, Jan 07, 2014 at 10:25:09AM -0000, anatoly techtonik wrote:
> Iain, is there a service to check package version against upstream and
> request backport for minor versions from web interface?

No. You can check package versions at

  http://launchpad.net/ubuntu/+source/<packagename>

And request backports using the `requestbackport' tool.

  https://wiki.ubuntu.com/UbuntuBackports#Requesting_a_Backport

--
Iain Lane [ <email address hidden> ]
Debian Developer [ <email address hidden> ]
Ubuntu Developer [ <email address hidden> ]

Thanks. Now I am sure that I've not missed anything.

I found the site I was thinking about - https://merges.ubuntu.com/ - thought that it also monitors upstream changes. I remember there was something like this somewhere..

I also tested the current trusty version against:

* raring:
[x] Package builds without modification
[x] ansible-node-fireball installs cleanly and runs
[x] ansible installs cleanly and runs
[x] ansible-fireball installs cleanly and runs
[x] ansible-doc installs cleanly and runs

* quantal:
[x] Package builds without modification
[x] ansible-node-fireball installs cleanly and runs
[x] ansible installs cleanly and runs
[x] ansible-fireball installs cleanly and runs
[x] ansible-doc installs cleanly and runs

* precise:
[x] Package builds without modification
[x] ansible-node-fireball installs cleanly and runs
[x] ansible installs cleanly and runs
[x] ansible-fireball installs cleanly and runs
[x] ansible-doc installs cleanly and runs

Would be great to get the backports here as well as 1.1 has two CVEs attached to it that are fixed in 1.2.3+
(and therefore in the 1.4.3 version that I would like to see backported :)

The diff between 1.4.3 and 1.4.4 looks fairly small. I guess we should just backport that instead?

@felix: yes indeed, that is preferable, the changes are very isolated to the "pip" extension module in ansible so super low risk if we pick 1.4.4 instead of 1.4.3.

@Felix: ... and thanks a lot of your review :) !

Great, I've pushed 1.4.4 to all 4 series.