[Ci-users] Ansible Update from 1.9.6 -> 2.X
lpancescu at gmail.com
Wed Feb 1 16:37:53 UTC 2017
Never mind, I just found an up-to-date build in CBS, from Jan 18th, with
all the security fixes. So they are apparently being closely tracked by
the PaaS SIG.
On 01/02/17 17:32, Laurentiu Pancescu wrote:
> From a quick look at the changelog, that particular CBS build is missing
> the security fixes from 220.127.116.11 (CVE-2016-9587, CVE-2016-8647,
> CVE-2016-9587 and CVE-2016-8647). I understand that we'd probably like
> to have full control over when a version upgrade takes place (not to
> break things), but we'd need to backport the security fixes. Or isn't
> security an issue since cico is an isolated environment?
> The main reason behind my proposal to adopt whatever Fedora packages was
> to get security fixes from the security team that handles EPEL and
> Fedora. For me, it's still unclear how fast are security fixes landing
> in SIG-provided packages.
> But that's certainly your decision to make, I'm fine with it either way. :)
More information about the Ci-users