Merge pull request #563 from sap-linuxlab/hotfix-cve-2023-5764

Hotfix CVE 2023 5764

Author: berndfinger

CHANGELOG.rst

@@ -5,33 +5,42 @@ community.sap_install Release Notes
 .. contents:: Topics
 
 
+v1.3.3
+======
+
+Release Summary
+---------------
+
+| Release Date: 2023-12-22
+| collection: Make the preconfigure and sap_hana_install roles compatible with CVE-2023-5764
+
 v1.3.2
 ======
 
 Release Summary
 ---------------
 
 | Release Date: 2023-09-29
-sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
-sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
-sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
-sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
-sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
-sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
-sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
-sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
-sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
-sap_hana_install: Bug fix for SELinux disable when SLES4SAP
-sap_install_media_detect: Feature add for NFS compatibility
-sap_install_media_detect: Feature add for idempotency
-sap_install_media_detect: Feature add for new file detection after code restructure
-sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
-sap_storage_setup: Feature add for Multipathing detection
-sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
-sap_storage_setup: Bug fix for packages on SLES and Google Cloud
-sap_swpm: Bug fix for RDBMS var name
-sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
-sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
+| sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
+| sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
+| sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
+| sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
+| sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
+| sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
+| sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
+| sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
+| sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
+| sap_hana_install: Bug fix for SELinux disable when SLES4SAP
+| sap_install_media_detect: Feature add for NFS compatibility
+| sap_install_media_detect: Feature add for idempotency
+| sap_install_media_detect: Feature add for new file detection after code restructure
+| sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
+| sap_storage_setup: Feature add for Multipathing detection
+| sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
+| sap_storage_setup: Bug fix for packages on SLES and Google Cloud
+| sap_swpm: Bug fix for RDBMS var name
+| sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
+| sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
 
 v1.3.1
 ======

README.md

@@ -30,6 +30,27 @@ This Ansible Collection executes various SAP Software installations for differen
   - Install Linux Pacemaker, configure Pacemaker Fencing Agents and Pacemaker Resource Agents
   - Set HA/DR with distributed SAP System installations (i.e. ERS)
 
+### Note
+
+Starting with `ansible-core` versions 2.16.1, 2.15.8, and 2.14.12, templating operations inside the `that` statement of `assert` tasks
+are no longer allowed.
+
+A typical error message is:
+```
+fatal: [host01]: FAILED! =>
+  msg: 'The conditional check ''13 <= 128'' failed. The error was: Conditional is marked as unsafe, and cannot be evaluated.'
+```
+
+This version of the collection ensures the compatibility with the above mentioned versions of `ansible-core` for the following roles:
+- sap_general_preconfigure
+- sap_netweaver_preconfigure
+- sap_hana_preconfigure
+- sap_hana_install
+
+When running the preconfigure roles with the above mentioned versions of `ansible-core` and with the parameters
+`sap_general_preconfigure_assert`, `sap_netweaver_preconfigure_assert`, or `sap_hana_preconfigure_assert`, the roles will abort
+in the first `assert` task which contains a templating operation.
+
 ## Contents
 
 An Ansible Playbook can call either an Ansible Role, or the individual Ansible Modules:

changelogs/changelog.yaml

@@ -17,4 +17,112 @@ releases:
         | Add SAP HANA Two-Node Scale-Up Cluster Installation
 
         '
-    release_date: '2022-07-06'
+    release_date: '2022-06-30'
+  1.2.0:
+    changes:
+      release_summary: '| Release Date: 2022-12-20
+
+        | Consolidate sap_ha_install_pacemaker, sap_ha_prepare_pacemaker, and sap_ha_set_hana into new sap_ha_pacemaker_cluster role
+        | Use the ha_cluster Linux System Role and its enhanced features in the new role sap_ha_pacemaker_cluster
+        | Improve SID and instance checking in role sap_hana_install
+        | Enable modifying SELinux file labels for SAP directories
+        | Upgrade SAP SWPM handling for compatibility with more scenarios when generating inifile.params
+        | Add Ansible Role for basic Oracle DB installations for SAP
+        | Various minor enhancements
+        | Various fixes
+
+        '
+    release_date: '2022-12-20'
+  1.2.1:
+    changes:
+      release_summary: '| Release Date: 2023-01-26
+
+        | A few minor fixes
+
+        '
+    release_date: '2023-01-26'
+  1.2.2:
+    changes:
+      release_summary: '| Release Date: 2023-02-01
+
+        | Fix for sap_hana_preconfigure on SLES when tuned is not installed
+
+        '
+    release_date: '2023-02-01'
+  1.2.3:
+    changes:
+      release_summary: '| Release Date: 2023-04-25
+
+        | sap_hana_preconfigure: Some modifications for HANA on RHEL 9
+        | sap_ha_pacemaker_cluster: Compatibility for custom stonith resource definitions containing more than one element
+        | sap_hana_preconfigure: Be more flexible with IBM service and productivity tools
+
+        '
+    release_date: '2023-04-25'
+  1.3.0:
+    changes:
+      release_summary: '| Release Date: 2023-07-21
+
+        | sap_general_preconfigure: Updates for new IBM Power packages with RHEL
+        | sap_hana_preconfigure: Updates for new IBM Power packages with RHEL
+        | sap_hana_install: Default Log Mode to normal and not Overwrite
+        | sap_ha_pacemaker_cluster: Detection of and compatibility for additional Infrastructure Platforms
+        | sap_ha_pacemaker_cluster: SAP NetWeaver compatibility added
+        | sap_install_media_detect: Restructure and add execution controls
+        | sap_storage_setup: Overhaul/Rewrite with breaking changes
+        | sap_storage_setup: SAP NetWeaver and NFS compatibility added
+        | sap_swpm: Minor alterations from High Availability test scenarios
+        | collection: Sample Playbooks updated
+
+        '
+    release_date: '2023-07-21'
+  1.3.1:
+    changes:
+      release_summary: '| Release Date: 2023-08-14
+
+        | sap_ha_pacemaker_cluster: Improved AWS constructs based on feedback
+        | sap_ha_pacemaker_cluster: Improved no STONITH resource definition handling
+        | sap_hana_install: Bug fix for arg spec on deprecated vars
+        | sap_hostagent: Bug fix for media handling
+        | sap_install_media_detect: Improved handling based on feedback
+        | sap_storage_setup: Bug fix for existing storage devices
+        | sap_swpm: Make full log output optional and replace with sapcontrol log final status
+        | collection: Bug fix for sample Ansible Playbooks
+
+        '
+    release_date: '2023-08-14'
+  1.3.2:
+    changes:
+      release_summary: '| Release Date: 2023-09-29
+
+        | sap_general_preconfigure: Update to latest SAP documentation for RHEL 9 package libxcrypt-compat
+        | sap_general_preconfigure: Bug fix for directory creation and SELinux Labels
+        | sap_ha_pacemaker_cluster: Bug fix for AWS EC2 Virtual Servers
+        | sap_ha_pacemaker_cluster: Bug fix for Google Cloud Compute Engine VM netmask lock on Virtual IP
+        | sap_ha_pacemaker_cluster: Feature add for improved SAP NetWeaver HA compatibility
+        | sap_ha_pacemaker_cluster: Feature add for ENSA1 compatibility
+        | sap_ha_pacemaker_cluster: Feature add for SAP HA Interface Cluster Connector after cluster init
+        | sap_ha_pacemaker_cluster: Feature add for IBM PowerVM hypervisor
+        | sap_ha_pacemaker_cluster: Feature add for multiple network interfaces with Virtual IP
+        | sap_hana_install: Bug fix for SELinux disable when SLES4SAP
+        | sap_install_media_detect: Feature add for NFS compatibility
+        | sap_install_media_detect: Feature add for idempotency
+        | sap_install_media_detect: Feature add for new file detection after code restructure
+        | sap_install_media_detect: Bug fix for setting SAP Maintenance Planner Stack XML path
+        | sap_storage_setup: Feature add for Multipathing detection
+        | sap_storage_setup: Bug fix for NFS throttle from customer test on MS Azure
+        | sap_storage_setup: Bug fix for packages on SLES and Google Cloud
+        | sap_swpm: Bug fix for RDBMS var name
+        | sap_swpm: Bug fix for SAP HANA Client hdbuserstore connection
+        | sap_swpm: Bug fix for SAP Maintenance Planner Stack XML path
+
+        '
+    release_date: '2023-09-29'
+  1.3.3:
+    changes:
+      release_summary: '| Release Date: 2023-12-22
+
+        | collection: Make the preconfigure and sap_hana_install roles compatible with CVE-2023-5764
+
+        '
+    release_date: '2023-12-22'

galaxy.yml

@@ -10,7 +10,7 @@ namespace: community
 name: sap_install
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.3.2
+version: 1.3.3
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

roles/sap_general_preconfigure/tasks/RedHat/generic/configure-hostname.yml

@@ -50,5 +50,5 @@
 
 - name: "Ensure that the length of the hostname is not longer than 'sap_general_preconfigure_max_hostname_length'"
   ansible.builtin.assert:
-    that: "{{ sap_hostname | length | int }} <= {{ sap_general_preconfigure_max_hostname_length | int }}"
+    that: (sap_hostname | length | int) <= (sap_general_preconfigure_max_hostname_length | int)
     msg: "The length of the hostname is {{ sap_hostname | length | int }} but must be less or equal to {{ sap_general_preconfigure_max_hostname_length }} (variable 'sap_general_preconfigure_max_hostname_length')!"

roles/sap_hana_install/tasks/hana_addhosts.yml

@@ -40,7 +40,7 @@
 
     - name: SAP HANA Add Hosts - Assert that the additional hosts are not shown in hdblcm --list_systems
       ansible.builtin.assert:
-        that: "'{{ line_item }}' not in __sap_hana_install_register_hdblcm_list_systems.stdout"
+        that: line_item not in __sap_hana_install_register_hdblcm_list_systems.stdout
         fail_msg:
           - "FAIL: Host '{{ line_item }}' is already part of system '{{ sap_hana_install_sid }}'"
           - "Because of this, the addhost operation will not be performed."

roles/sap_hana_install/tasks/hana_exists.yml

@@ -140,9 +140,14 @@
       changed_when: no
       failed_when: no
 
+    - name: SAP HANA Checks - Define new variable for the assertion
+      ansible.builtin.set_fact:
+        __sap_hana_install_existing_sapsys_gid: "{{ __sap_hana_install_register_getent_group_sapsys.stdout.split(':')[2] }}"
+      when: __sap_hana_install_register_getent_group_sapsys.rc == 0
+
     - name: SAP HANA Checks - In case there is a group 'sapsys', assert that its group ID is identical to 'sap_hana_install_groupid'
       ansible.builtin.assert:
-        that: "{{ __sap_hana_install_register_getent_group_sapsys.stdout.split(':')[2] }} == {{ sap_hana_install_groupid }}"
+        that: (__sap_hana_install_existing_sapsys_gid | int) == (sap_hana_install_groupid | int)
         success_msg: "PASS: The group ID of 'sapsys' is identical to the value of variable
                       sap_hana_install_groupid, which is '{{ sap_hana_install_groupid }}'"
         fail_msg: "FAIL: Group 'sapsys' exists but with a different group ID than '{{ sap_hana_install_groupid }}'

roles/sap_hana_preconfigure/tasks/RedHat/installation.yml

@@ -6,7 +6,7 @@
 
 - name: Ensure that the system is running a RHEL release which is supported for SAP HANA
   ansible.builtin.assert:
-    that: ansible_distribution_version in "{{ sap_hana_preconfigure_supported_rhel_minor_releases }}"
+    that: ansible_distribution_version in sap_hana_preconfigure_supported_rhel_minor_releases
     fail_msg: "The RHEL release {{ ansible_distribution_version }} is not supported for SAP HANA!"
     success_msg: "The RHEL release {{ ansible_distribution_version }} is supported for SAP HANA."
   ignore_errors: "{{ not sap_hana_preconfigure_min_rhel_release_check }}"