[Ci-users] Ansible Update from 1.9.6 -> 2.X

Wed Feb 1 16:37:53 UTC 2017
Laurentiu Pancescu <lpancescu at gmail.com>

Never mind, I just found an up-to-date build in CBS, from Jan 18th, with 
all the security fixes.  So they are apparently being closely tracked by 
the PaaS SIG.


On 01/02/17 17:32, Laurentiu Pancescu wrote:
> From a quick look at the changelog, that particular CBS build is missing
> the security fixes from (CVE-2016-9587, CVE-2016-8647,
> CVE-2016-9587 and CVE-2016-8647).  I understand that we'd probably like
> to have full control over when a version upgrade takes place (not to
> break things), but we'd need to backport the security fixes.  Or isn't
> security an issue since cico is an isolated environment?
> The main reason behind my proposal to adopt whatever Fedora packages was
> to get security fixes from the security team that handles EPEL and
> Fedora.  For me, it's still unclear how fast are security fixes landing
> in SIG-provided packages.
> But that's certainly your decision to make, I'm fine with it either way. :)