Safety vulnerability ID: 37733
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Debops 1.2.0 includes a security patch for CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Latest version: 3.2.4
Your Debian-based data center in a box
-----------------------------
.. _debops v1.2.0: https://github.com/debops/debops/compare/v1.1.0...v1.2.0
Added
~~~~~
New DebOps roles
''''''''''''''''
- Add :ref:`debops.postldap` Ansible role to configure and enable
:ref:`debops.postfix` to host multiple (virtual) domains,and thus provide
email service to several domains with just one `mail server`.
Currently the Virtual Mail support works only with **LDAP enabled**,
in the future `mariaDB` could be enabled.
- The :ref:`debops.minio` and :ref:`debops.mcli` Ansible roles can be used to
install and configure `MinIO`__ object storage service and its corresponding
client binary.
.. __: https://minio.io/
- The :ref:`debops.tinyproxy` role can be used to set up a lightweight
HTTP/HTTPS proxy for an upstream server.
- The :ref:`debops.libuser` Ansible role configures the `libuser`__ library and
related commands. This library is used by some of the other DebOps roles to
manage local UNIX accounts and groups on LDAP-enabled hosts.
.. __: https://pagure.io/libuser/
General
'''''''
- Add more entries to be ignored by default by the :command:`git` command in
the DebOps project directories:
- :file:`debops`: ignore DebOps monorepo cloned or symlinked into the project
directory.
- :file:`roles` and :file:`playbooks`: ignore roles and playbooks in
development; production code should be put in the :file:`ansible/roles/`
and the :file:`ansible/playbooks/` directories respectively.
- The :command:`debops-init` script now also creates the .gitattributes file
for use with :command:`git-crypt`. It is commented out by default.
- The :command:`debops-defaults` command will check what pagers
(:command:`view`, :command:`less`, :command:`more`) are available and use the
best one automatically.
- A new Ansible module, ``dpkg_divert``, can be used to divert the
configuration files out of the way to preserve them and avoid issues with
package upgrades. The module is available in the
:ref:`debops.ansible_plugins` role.
LDAP
''''
- The :file:`ldap/init-directory.yml` Ansible playbook will create the LDAP
objects ``cn=LDAP Replicators`` and ``cn=Password Reset Agents`` to allow
other Ansible roles to utilize them without the need for the system
administrator to define them by hand.
- The :file:`ldap/get-uuid.yml` Ansible playbook can be used to convert LDAP
Distinguished Names to UUIDs to look up the password files if needed.
:ref:`debops.apt_install` role
''''''''''''''''''''''''''''''
- The `open-vm-tools`__ APT package will be installed by default in VMware
virtual machines.
.. __: https://github.com/vmware/open-vm-tools
:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''
- The role will tell the client applications to `disable DNS-over-HTTPS
support`__ using the ``use-application-dns.net`` DNS record. This should
allow connections to internal sites and preserve the split-DNS functionality.
.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''
- The role will configure LDAP support in DokuWiki when LDAP environment
managed by the :ref:`debops.ldap` Ansible role is detected. Read the
:ref:`dokuwiki__ref_ldap_support` chapter in the documentation for more
details.
:ref:`debops.cron` role
'''''''''''''''''''''''
- The execution time of the ``hourly``, ``daily``, ``weekly`` and ``monthly``
:command:`cron` jobs will be randomized on a per-host basis to avoid large
job execution spikes every morning. See the role documentation for more
details.
:ref:`debops.nullmailer` role
'''''''''''''''''''''''''''''
- When the :ref:`LDAP environment <debops.ldap>` is configured on a host, the
:ref:`debops.nullmailer` role will create the service account in the LDAP
directory and configure the :command:`nullmailer` service to use SASL
authentication with its LDAP credentials to send e-mails to the relayhost.
:ref:`debops.pki` role
''''''''''''''''''''''
- Newly created PKI realms will have a new :file:`public/full.pem` file which
contains the full X.509 certificate chain, including the Root CA certificate,
which might be required by some applications that rely on TLS.
Existing PKI realms will not be modified, but Ansible roles that use the PKI
infrastructure might expect the new files to be present. It is advisable to
:ref:`recreate the PKI realms <pki__ref_realm_renewal>` when possible, or
create the missing files manually.
:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''
- The role can now be used to authenticate users of different services against
the LDAP directory via integration with the :ref:`debops.ldap` role and its
framework. Multiple LDAP profiles can be used to provide different access
control for different services.
:ref:`debops.slapd` role
''''''''''''''''''''''''
- Add support for :ref:`eduPerson LDAP schema <slapd__ref_eduperson>` with
updated schema file included in the role.
- The role will configure SASL authentication in the OpenLDAP service using the
:ref:`debops.saslauthd` Ansible role. Both humans and machines can
authenticate to the OpenLDAP directory using their respective LDAP objects.
- The :ref:`lastbind overlay <slapd__ref_lastbind_overlay>` will be enabled by
default. This overlay records the timestamp of the last successful bind
operation of a given LDAP object, which can be used to, for example, check
the date of the last successful login of a given user account.
- Add support for :ref:`nextcloud LDAP schema <slapd__ref_nextcloud>` which
provides attributes needed to define disk quotas for Nextcloud user accounts.
- The Access Control List rules can now be tested using the :man:`slapacl(8)`
command via a generated :ref:`test suite script <slapd__ref_acl_tests>`.
- The default ACL rules have been overhauled to add support for the
``ou=Roles,dc=example,dc=org`` subtree and use of the ``organizationalRole``
LDAP objects for authorization. The old set of rules is still active to
ensure that the existing environments work as expected.
If you use a modified ACL configuration, you should include the new rules as
well to ensure that changes in the :ref:`debops.ldap` support are working
correctly.
- You can now hide specific LDAP objects from unprivileged users by adding them
to a special ``cn=Hidden Objects,ou=Groups,dc=example,dc=org`` LDAP group.
The required ACL rule will be enabled by default; the objects used to control
visibility will be created by the :file:`ldap/init-directory.yml` playbook.
- New "SMS Gateway" LDAP role grants read-only access to the ``mobile``
attribute by SMS gateways. This is needed for implementing 2-factor
authentication via SMS messages.
:ref:`debops.unbound` role
''''''''''''''''''''''''''
- The role will tell the client applications to `disable DNS-over-HTTPS
support`__ using the ``use-application-dns.net`` DNS record. This should
allow connections to internal sites and preserve the split-DNS functionality.
.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
- The role will configure the :command:`unbound` daemon to allow non-recursive
access to DNS queries when a host is managed by Ansible locally, with
assumption that it's an Ansible Controller host. This change unblocks use of
the :command:`dig +trace` and similar commands.
Changed
~~~~~~~
Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''
- In the :ref:`debops.gitlab` role, GitLab version has been updated to
``12.2``. This is the last release that supports Ruby 2.5 which is included
in Debian Buster.
- In the :ref:`debops.ipxe` role, the Debian Stretch and Debian Buster netboot
installer versions have been updated to their next point releases, 9.10 and
10.2 respectively.
- In the :ref:`debops.netbox` role, the NetBox version has been updated to
``v2.6.3``.
Continuous Integration
''''''''''''''''''''''
- The ``$DEBOPS_FROM`` environment variable can be used to select how DebOps
scripts should be installed in the Vagrant environment: either ``devel``
(local build) or ``pypi`` (installation from PyPI repository). This makes
Vagrant environment more useful on Windows hosts, where :file:`/vagrant`
directory is not mounted due to issues with symlinks.
- The :command:`make test` command will not run the Docker tests anymore, to
make the default tests faster. To run the Docker tests with all other tests,
you can use the :command:`make test docker` command.
General
'''''''
- External commands used in the DebOps scripts have been defined as constants
to allow easier changes of the command location in various operating systems,
for example Guix.
- The default Ansible callback plugin used by DebOps is changed to ``yaml``,
which gives a cleaner look for various outputs and error messages. The
callback plugin will be active by default in new DebOps project directories;
in existing directories users can add:
.. code-block:: ini
[ansible defaults]
stdout_callback = yaml
in the :file:`.debops.cfg` configuration file.
LDAP
''''
- The :file:`ldap/init-directory.yml` playbook has been updated to use the new
``ou=Roles,dc=example,dc=org`` LDAP subtree, which will contain various
``organizationalRole`` objects. After updating the OpenLDAP Access Control
List using the :ref:`debops.slapd` role, you can use the playbook on an
existing installation to create the missing objects.
The ``cn=UNIX Administrators`` and ``cn=UNIX SSH users`` LDAP objects will be
created in the ``ou=Groups,dc=example,dc=org`` LDAP subtree. On existing
installations, these objects need to be moved manually to the new subtree,
otherwise the playbook will try to create them and fail due to duplicate
UID/GID numbers which are enforced to be unique. You can move the objects
using an LDAP client, for example Apache Directory Studio.
The ``ou=System Groups,dc=example=dc,org`` subtree will not be created
anymore. On existing installations this subtree will be left intact and can
be safely removed after migration.
- The access to the OpenLDAP service configured using the :ref:`debops.slapd`
role now requires explicit firewall and TCP Wrappers configuration to allow
access from trusted IP addresses and subnets. You can use the
``slapd__*_allow`` variables in the Ansible inventory to specify the IP
addresses and subnets that can access the service.
To preserve the old behaviour of granting access by default from anywhere,
you can set the :envvar:`slapd__accept_any` variable to ``True``.
:ref:`debops.apt_preferences` role
''''''''''''''''''''''''''''''''''
- Support Debian Buster in :ref:`apt_preferences__list`.
:ref:`debops.gitlab` role
'''''''''''''''''''''''''
- The LDAP support in GitLab has been converted to use the
:ref:`debops.ldap` infrastructure and not configure LDAP objects directly.
LDAP support in GitLab will be enabled automatically if it's enabled on
the host. Some of the configuration variables have been changed; see the
:ref:`upgrade_notes` for more details.
- The default LDAP filter configured in the
:envvar:`gitlab__ldap_user_filter` variable has been modified to limit
access to the service to objects with specific attributes. See the
:ref:`GitLab LDAP access control <gitlab__ref_ldap_dit_access>`
documentation page for details about the required attributes and their
values.
- The GitLab project has changed its codebase structure, because of that the
Gitlab CE :command:`git` repository has been moved to a new location,
https://gitlab.com/gitlab-org/gitlab-foss/. The role has been updated
accordingly. Existing installations should work fine after the new codebase
is cloned, but if unsure, users should check the change first in
a development environment.
More details can be found in GitLab blog posts `here`__ and `here`__, as well
as the `Frequently Asked Questions`__ page.
.. __: https://about.gitlab.com/blog/2019/02/21/merging-ce-and-ee-codebases/
.. __: https://about.gitlab.com/blog/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/
.. __: https://gitlab.com/gitlab-org/gitlab/issues/13855
:ref:`debops.golang` role
'''''''''''''''''''''''''
- The role has been redesigned from the ground up, and can be used to install
Go applications either from APT packages, build them from source, or download
precompiled binaries from remote resources. See the role documentation for
more details.
:ref:`debops.ldap` role
'''''''''''''''''''''''
- The role will reset the LDAP host attributes defined in the
:envvar:`ldap__device_attributes` variable on first configuration in case
that the host has been reinstalled and some of their values changed (for
example different IP addresses). This should avoid leaving the outdated
attributes in the host LDAP object.
:ref:`debops.nginx` role
''''''''''''''''''''''''
- The role will create the webroot directory specified in the ``item.root``
parameter even if the ``item.owner`` and ``item.group`` parameters are not
defined. This might have idempotency issues if the :ref:`debops.nginx` role
configuration and the application role configuration try to modify the same
directory attributes. To disable the webroot creation, you can set the
``item.webroot_create`` parameter to ``False``. Alternatively, you should
specify the intended owner, group and directory mode in the :command:`nginx`
server configuration.
:ref:`debops.nullmailer` role
'''''''''''''''''''''''''''''
- The :envvar:`nullmailer__adminaddr` list is set to empty by default to not
redirect all e-mail messages sent through the :command:`nullmailer` service
to the ``root`` account. This should be done on the relayhost instead.
:ref:`debops.owncloud` role
'''''''''''''''''''''''''''
- Drop Nextcloud 14 support because it is EOL. You need to upgrade Nextcloud
manually if you are running 14 or below. Add Nextcloud 16 support. Now
default to Nextcloud 15 for new installations.
- The LDAP support in Nextcloud has been converted to use the
:ref:`debops.ldap` infrastructure and not configure LDAP objects directly.
LDAP support in Nextcloud will be enabled automatically if it's enabled on
the host. Some of the configuration variables have been changed; see the
:ref:`upgrade_notes` for more details.
- The default LDAP filter configured in the
:envvar:`owncloud__ldap_login_filter` variable has been modified to limit
access to the service to objects with specific attributes. See the
:ref:`Nextcloud LDAP access control <owncloud__ref_ldap_dit_access>`
documentation page for details about the required attributes and their
values.
- The default LDAP group filter configured in the
:envvar:`owncloud__ldap_group_filter` variable has been modified to limit the
available set of ``groupOfNames`` LDAP objects to only those that have the
``nextcloudEnabled`` attribute set to ``true``.
- Support for disk quotas for LDAP users has been added in the default
configuration, based on the :ref:`nextcloud LDAP schema
<slapd__ref_nextcloud>`. The default disk quota is set to 10 GB and can be
changed using the ``nextcloudQuota`` LDAP attribute.
:ref:`debops.postconf` role
'''''''''''''''''''''''''''
- Support for the ``465`` TCP port for message submission over Implicit TLS is
no longer deprecated (status changed by the :rfc:`8314` document) and will be
enabled by default with the ``auth`` capability.
- The role will configure Postfix to check the sender address of authenticated
mail messages and block those that don't belong to the authenticated user.
This will be enabled with the ``auth`` and the ``unauth-sender``
capabilities, and requires an user database to work correctly.
:ref:`debops.postfix` role
''''''''''''''''''''''''''
- The default primary group of the lookup tables has been changed to
``postfix``, default mode for new lookup tables will be set to ``0640``.
This change helps secure lookup tables that utilize remote databases with
authentication.
- Postfix lookup tables can now use shared connection configuration defined in
a YAML dictionary to minimize data duplication.
See the :ref:`postfix__ref_lookup_tables` documentation for more details.
:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''
- The role will install and configure :command:`resolvconf` APT package only on
hosts with more than one network interface (not counting ``lo``), or if local
DNS services are also present on the host.
:ref:`debops.slapd` role
''''''''''''''''''''''''
- Enable substring index for the ``sudoUser`` attribute from the :ref:`sudo
LDAP schema <slapd__ref_sudo>`. Existing installations should be updated
manually via the LDAP client, by setting the value of the ``sudoUser`` index
to ``eq,sub``.
- Add indexes for the ``authorizedService`` and ``host`` attributes from the
:ref:`ldapns LDAP schema <slapd__ref_ldapns>` and the ``gid`` attribute from
the :ref:`posixGroupId LDAP schema <slapd__ref_posixgroupid>`. This should
improve performance in UNIX environments connected to the LDAP directory.
- The number of rounds in SHA-512 password hashes has been increased from 5000
(default) to 100001. Existing password hashes will be unaffected.
- The ``employeeNumber`` attribute in the ``ou=People,dc=example,dc=org`` LDAP
subtree will be constrained to digits only, and the LDAP directory will
enforce its uniqueness in the subtree. This allows the attribute to be used
for correlation of personal LDAP objects to RDBMS-based databases.
- The ``mail`` attribute is changed from unique for objects in the
``ou=People,dc=example,dc=org`` LDAP subtree to globally unique, due to its
use for authentication purposes. The attribute will be indexed by default.
- Access to the ``carLicense``, ``homePhone`` and ``homePostalAddress``
attributes has been restricted to privileged accounts only (administrators,
entry owner). The values cannot be seen by unprivileged and anonymous users.
- Write access to the ``ou=SUDOers,dc=example,dc=org`` LDAP subtree has been
restricted to the members of the "UNIX Administrators" LDAP group.
:ref:`debops.sshd` role
'''''''''''''''''''''''
- The role will allow or deny access to the ``root`` account via password
depending on the presence of the :file:`/root/.ssh/authorized_keys` file. See
:ref:`sshd__ref_root_password` for more details. This requires updated
:file:`root_account.fact` script from the :ref:`debops.root_account` role.
- The role will use Ansible local facts to check if OpenSSH server package is
installed to conditionally enable/disable its start on first install.
debops-contrib.dropbear_initramfs role
''''''''''''''''''''''''''''''''''''''
- Better default value for `dropbear_initramfs__network_device` by
detecting the default network interface using Ansible facts instead of the
previously hard-coded ``eth0``.
Removed
~~~~~~~
:ref:`debops.ansible_plugins` role
''''''''''''''''''''''''''''''''''
- The ``ldappassword`` Ansible filter plugin has been removed as it is no
longer used in DebOps roles. The preferred method for storing passwords in
LDAP is to pass them in plaintext (over TLS) and let the directory server
store them in a hashed form. See also: :rfc:`3062`.
:ref:`debops.ldap` role
'''''''''''''''''''''''
- The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry``
Ansible modules is deprecated due to their insecure nature. As a consequence,
the :ref:`debops.ldap` role has been updated to not use this option and the
``ldap__admin_auth_params`` variable has been removed.
:ref:`debops.nginx` role
''''''''''''''''''''''''
- Set `nginx_upstream_php5_www_data` to absent. If you are still using
that Nginx upstream which was enabled by default then update your Ansible
role and switch to a supported PHP release.
Fixed
~~~~~
General
'''''''
- The "Edit on GitHub" links on the role default variable pages in the
documentation have been fixed and now point to the correct source files on
GitHub.
:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''
- On Ubuntu hosts, the role will fix the configuration installed by the
:command:`lxd` package to use ``bind-dynamic`` option instead of
``bind-interfaces``. This allows the :command:`dnsmasq` service to start
correctly.
:ref:`debops.ferm` role
'''''''''''''''''''''''
- The ``dmz`` firewall configuration will use the ``dport`` parameter instead
of ``port``, otherwise filtering rules will not work as expected.
:ref:`debops.nfs_server` role
'''''''''''''''''''''''''''''
- In the :envvar:`nfs_server__firewall_ports` variable, convert the
``dict_keys`` view into a list due to `change in Python 3 implementation`__
of dictionaries.
.. __: https://docs.ansible.com/ansible/latest/user_guide/playbooks_python_version.htmldictionary-views
:ref:`debops.nginx` role
''''''''''''''''''''''''
- Fix an issue in the :file:`php.conf.j2` server template when an
``item.location`` parameter is specified, overridding the default set of
``location`` blocks defined in the :file:`default.conf.j` template. If the
``/`` location is not specified in the ``item.location`` dictionary,
a default one will be included by the role.
:ref:`debops.postconf` role
'''''''''''''''''''''''''''
- Disable the ``smtpd_helo_restrictions`` option on the ``submission`` and
``smtps`` TCP ports when the authentication and MX lookups are enabled. This
should fix an issue where SMTP client sends the host's IP address as its
HELO/EHLO response, which might not be configurable by the user.
Security
~~~~~~~~
:ref:`debops.nginx` role
''''''''''''''''''''''''
- Mitigation for the `CVE-2019-11043`__ vulnerability has been applied in the
:command:`nginx` ``php`` and ``php5`` configuration templates. The mitigation
is based on the `suggested workaround`__ from the PHP Bug Tracker.
.. __: https://security-tracker.debian.org/tracker/CVE-2019-11043
.. __: https://bugs.php.net/bug.php?id=78599
:ref:`debops.owncloud` role
'''''''''''''''''''''''''''
- Security patch for the `CVE-2019-11043`__ vulnerability has been applied in
the Nextcloud configuration for the :ref:`debops.nginx` role. The patch is
based on the `fix suggested by upstream`__.
.. __: https://security-tracker.debian.org/tracker/CVE-2019-11043
.. __: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application