UnixPB: Fix insecure downloads discovered from TrailOfBits Audit (#3329)

* Fix AIX Yum Secure Download * Fix Insecure Download For epel-release * Enable validate certs for centos * Change http links to https for Debian * Enable Cert Validation For SLES * Fix broken JDK link for SLES * Switch Zule repos to https * Enable cert validation for openssl download * Validate Certs On Solaris Freemarker DL. * Correct Repo URL * Standardise case
adoptium · Jan 8, 2024 · 35cb82b · 35cb82b
1 parent 0077e29
commit 35cb82b
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 16 deletions.
diff --git a/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml
@@ -50,7 +50,7 @@
       get_url:
         url: "{{ item }}"
         mode: 0644
-        validate_certs: false
+        validate_certs: true
         dest: /tmp/yum
       with_items:
         "{{ yum_downloads }}"

diff --git a/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml
@@ -11,7 +11,7 @@
     name: epel-release
     state: installed
     update_cache: yes
-    validate_certs: no
+    validate_certs: yes
   tags: patch_update
 
 - name: YUM upgrade all packages

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml
@@ -17,7 +17,7 @@
     name: epel-release
     state: installed
     update_cache: yes
-    validate_certs: no
+    validate_certs: true
   when: ansible_distribution_major_version != "8"
   tags: patch_update
 
@@ -199,7 +199,7 @@
     dest: /tmp/
     mode: 0440
     timeout: 25
-    validate_certs: no
+    validate_certs: true
     checksum: sha256:d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6
   when:
     - ansible_architecture == "x86_64"

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml
@@ -60,14 +60,14 @@
 
 - name: Add Azul Zulu GPG Package Signing Key for x86_64
   apt_key:
-    url: http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
+    url: https://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
     state: present
   when:
     - ansible_architecture == "x86_64"
   tags: [patch_update, azul-key]
 
 - name: Add Azul Zulu repository for x86_64
-  apt_repository: repo='deb http://repos.azulsystems.com/ubuntu stable main'
+  apt_repository: repo='deb https://repos.azulsystems.com/ubuntu stable main'
   when:
     - ansible_architecture == "x86_64"
   tags: patch_update
@@ -76,8 +76,8 @@
 - name: Add additional repositories for Raspbian Buster
   apt_repository: repo={{ item }}
   with_items:
-    - deb-src http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi
-    - deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
+    - deb-src https://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi
+    - deb https://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi
   when:
     - (ansible_distribution_major_version == "10" and ansible_architecture == "armv7l")
   tags: patch_update
@@ -91,8 +91,8 @@
     - deb-src https://deb.debian.org/debian/ stable-updates main contrib non-free
     - deb https://deb.debian.org/debian-security stable/updates main
     - deb-src https://deb.debian.org/debian-security stable/updates main
-    - deb http://ftp.debian.org/debian stretch-backports main
-    - deb-src http://ftp.debian.org/debian stretch-backports main
+    - deb https://ftp.debian.org/debian stretch-backports main
+    - deb-src https://ftp.debian.org/debian stretch-backports main
   when:
     - (ansible_distribution_major_version == "9" and ansible_architecture == "armv7l")
   tags: patch_update

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml
@@ -217,9 +217,9 @@
 
 - name: Download IBM Java 8
   get_url:
-    url: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/8.0.5.7/linux/x86_64/ibm-java-sdk-8.0-5.7-x86_64-archive.bin
+    url: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/8.0.8.11/linux/x86_64/ibm-java-sdk-8.0-8.11-x86_64-archive.bin
     dest: /tmp/ibm-java.bin
-    validate_certs: no
+    validate_certs: yes
   when:
     - ansible_distribution_major_version == "11"
     - not java8_installed.stat.exists
@@ -291,7 +291,7 @@
     dest: /tmp/
     mode: 0440
     timeout: 25
-    validate_certs: no
+    validate_certs: yes
     checksum: sha256:d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6
   when:
     - (ansible_distribution_major_version == "11") or (ansible_distribution_major_version == "12")

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml
@@ -24,7 +24,7 @@
 
 - name: Add Azul Zulu GPG Package Signing Key for x86_64
   apt_key:
-    url: http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
+    url: https://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
     state: present
   when:
     - ansible_architecture == "x86_64"

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml
@@ -59,7 +59,7 @@
     dest: /tmp/openssl-{{ openssl_latest }}.tar.gz
     force: no
     mode: 0755
-    validate_certs: no
+    validate_certs: yes
   when:
     - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Ubuntu" or ansible_distribution == "SLES")
     - ansible_architecture == "x86_64"

diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml
@@ -30,7 +30,7 @@
     dest: /tmp/
     remote_src: yes
     mode: 0755
-    validate_certs: False
+    validate_certs: true
   when: not freemarker.stat.exists and ansible_distribution == "Solaris"
   tags: [freemarker, adoptopenjdk]