From 35cb82b094551d166ac905bd8c34305176218b78 Mon Sep 17 00:00:00 2001 From: Scott Fryer <60462088+steelhead31@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:40:38 +0000 Subject: [PATCH] UnixPB: Fix insecure downloads discovered from TrailOfBits Audit (#3329) * Fix AIX Yum Secure Download * Fix Insecure Download For epel-release * Enable validate certs for centos * Change http links to https for Debian * Enable Cert Validation For SLES * Fix broken JDK link for SLES * Switch Zule repos to https * Enable cert validation for openssl download * Validate Certs On Solaris Freemarker DL. * Correct Repo URL * Standardise case --- .../roles/yum/tasks/main.yml | 2 +- .../roles/Common/tasks/CentOS.yml | 2 +- .../roles/Common/tasks/CentOS.yml | 4 ++-- .../roles/Common/tasks/Debian.yml | 12 ++++++------ .../roles/Common/tasks/SLES.yml | 6 +++--- .../roles/Common/tasks/Ubuntu.yml | 2 +- .../roles/OpenSSL/tasks/main.yml | 2 +- .../roles/freemarker/tasks/main.yml | 2 +- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml index 7d72806ffc..1c44f00a5b 100644 --- a/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml +++ b/ansible/playbooks/AdoptOpenJDK_AIX_Playbook/roles/yum/tasks/main.yml @@ -50,7 +50,7 @@ get_url: url: "{{ item }}" mode: 0644 - validate_certs: false + validate_certs: true dest: /tmp/yum with_items: "{{ yum_downloads }}" diff --git a/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml index e02c88a9c6..689215255d 100644 --- a/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml +++ b/ansible/playbooks/AdoptOpenJDK_ITW_Playbook/roles/Common/tasks/CentOS.yml @@ -11,7 +11,7 @@ name: epel-release state: installed update_cache: yes - validate_certs: no + validate_certs: yes tags: patch_update - name: YUM upgrade all packages diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml index 748ce8eb1c..99907e2888 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/CentOS.yml @@ -17,7 +17,7 @@ name: epel-release state: installed update_cache: yes - validate_certs: no + validate_certs: true when: ansible_distribution_major_version != "8" tags: patch_update @@ -199,7 +199,7 @@ dest: /tmp/ mode: 0440 timeout: 25 - validate_certs: no + validate_certs: true checksum: sha256:d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6 when: - ansible_architecture == "x86_64" diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml index 1bf4447425..c1ca42f8ce 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Debian.yml @@ -60,14 +60,14 @@ - name: Add Azul Zulu GPG Package Signing Key for x86_64 apt_key: - url: http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems + url: https://repos.azulsystems.com/RPM-GPG-KEY-azulsystems state: present when: - ansible_architecture == "x86_64" tags: [patch_update, azul-key] - name: Add Azul Zulu repository for x86_64 - apt_repository: repo='deb http://repos.azulsystems.com/ubuntu stable main' + apt_repository: repo='deb https://repos.azulsystems.com/ubuntu stable main' when: - ansible_architecture == "x86_64" tags: patch_update @@ -76,8 +76,8 @@ - name: Add additional repositories for Raspbian Buster apt_repository: repo={{ item }} with_items: - - deb-src http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi - - deb http://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi + - deb-src https://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi + - deb https://mirrordirector.raspbian.org/raspbian/ jessie main contrib non-free rpi when: - (ansible_distribution_major_version == "10" and ansible_architecture == "armv7l") tags: patch_update @@ -91,8 +91,8 @@ - deb-src https://deb.debian.org/debian/ stable-updates main contrib non-free - deb https://deb.debian.org/debian-security stable/updates main - deb-src https://deb.debian.org/debian-security stable/updates main - - deb http://ftp.debian.org/debian stretch-backports main - - deb-src http://ftp.debian.org/debian stretch-backports main + - deb https://ftp.debian.org/debian stretch-backports main + - deb-src https://ftp.debian.org/debian stretch-backports main when: - (ansible_distribution_major_version == "9" and ansible_architecture == "armv7l") tags: patch_update diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml index e0dec84031..39d02ac42b 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/SLES.yml @@ -217,9 +217,9 @@ - name: Download IBM Java 8 get_url: - url: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/8.0.5.7/linux/x86_64/ibm-java-sdk-8.0-5.7-x86_64-archive.bin + url: https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/8.0.8.11/linux/x86_64/ibm-java-sdk-8.0-8.11-x86_64-archive.bin dest: /tmp/ibm-java.bin - validate_certs: no + validate_certs: yes when: - ansible_distribution_major_version == "11" - not java8_installed.stat.exists @@ -291,7 +291,7 @@ dest: /tmp/ mode: 0440 timeout: 25 - validate_certs: no + validate_certs: yes checksum: sha256:d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6 when: - (ansible_distribution_major_version == "11") or (ansible_distribution_major_version == "12") diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml index 0d3396d616..171cbc67d2 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Common/tasks/Ubuntu.yml @@ -24,7 +24,7 @@ - name: Add Azul Zulu GPG Package Signing Key for x86_64 apt_key: - url: http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems + url: https://repos.azulsystems.com/RPM-GPG-KEY-azulsystems state: present when: - ansible_architecture == "x86_64" diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml index d28e434713..c99957b1ac 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/OpenSSL/tasks/main.yml @@ -59,7 +59,7 @@ dest: /tmp/openssl-{{ openssl_latest }}.tar.gz force: no mode: 0755 - validate_certs: no + validate_certs: yes when: - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Ubuntu" or ansible_distribution == "SLES") - ansible_architecture == "x86_64" diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml index e1a2eb968e..9e7e87bb57 100644 --- a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml +++ b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/freemarker/tasks/main.yml @@ -30,7 +30,7 @@ dest: /tmp/ remote_src: yes mode: 0755 - validate_certs: False + validate_certs: true when: not freemarker.stat.exists and ansible_distribution == "Solaris" tags: [freemarker, adoptopenjdk]