From 506510cabd8335f47bfefbe54df16e125527b6c2 Mon Sep 17 00:00:00 2001 From: Bas Date: Thu, 21 Dec 2023 15:17:34 +0100 Subject: [PATCH] =?UTF-8?q?[ansible/artifactory]=20JA-7492-=20Fixed=20a=20?= =?UTF-8?q?security=20issue=20whereby,=20interacting=20with=20specially=20?= =?UTF-8?q?c=E2=80=A6=20(#356)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * JA-7492- Fixed a security issue whereby, interacting with specially crafted URLs could lead to exposure of sensitive information. * Version 7.71.8 of Artifactory * Determine the running_version and compare to desired artifactory_version * compare stdout wihtout newline. changed_when: false for read operation. --- .../jfrog/platform/CHANGELOG.md | 3 +++ .../platform/roles/artifactory/defaults/main.yml | 4 ++-- .../platform/roles/artifactory/tasks/upgrade.yml | 15 +++++++++++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md index 7c24184a..40f4ffcc 100644 --- a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md +++ b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md @@ -1,6 +1,9 @@ # JFrog Platform Ansible Collection Changelog All changes to this collection will be documented in this file. +## [10.16.4] - Dec 18, 2023 +* Changed default Artifactory version to 7.71.8 + ## [10.16.3] - Dec 6, 2023 * Added How to avoid IPv6 binding in Readme [GH-349](https://github.com/jfrog/JFrog-Cloud-Installers/pull/349) * Product Updates/fixes diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml index 817e5acd..89f8d5a1 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml @@ -1,7 +1,7 @@ # Defaults file for artifactory # The version of artifactory to install -artifactory_version: 7.71.5 +artifactory_version: 7.71.8 # Set this to true when SSL is enabled (to use artifactory_nginx_ssl role), default to false (implies artifactory uses artifactory_nginx role ) artifactory_nginx_ssl_enabled: false @@ -112,4 +112,4 @@ artifactory_binarystore: |- artifactory_systemyaml_override: false # Allow artifactory user to create crontab rules -artifactory_allow_crontab: false \ No newline at end of file +artifactory_allow_crontab: false diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml index 2ff3a108..1ee1b29b 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml @@ -56,17 +56,28 @@ path: "{{ jfrog_home_directory }}" state: directory +- name: Check artifactory version + ansible.builtin.shell: | + set -o pipefail; + grep artifactory.product.version "{{ artifactory_home }}/app/artifactory.product.version.properties" |cut -d= -f2 + register: check_version_cmd + changed_when: false + +- name: Set running_version + ansible.builtin.set_fact: + running_version: "{{ check_version_cmd.stdout }}" + - name: Delete artifactory app directory become: true ansible.builtin.file: path: "{{ artifactory_home }}/app" state: absent - when: (download_artifactory.changed) or (unarchived_artifactory.changed) + when: running_version != artifactory_version - name: Copy new app to artifactory app become: true ansible.builtin.command: "cp -r {{ artifactory_untar_home }}/app/. {{ artifactory_home }}/app" - when: (download_artifactory.changed) or (unarchived_artifactory.changed) + when: running_version != artifactory_version notify: Restart artifactory - name: Configure artifactory license(s)