---
# Author: Michael Prokop / http://synpro.solutions/
# Latest change: Tue Mar 01 23:17:23 CET 2016 [mika]
#
# Purpose: apply Debian package updates for OpenSSL, especially WRT:
# - CacheBleed / CVE-2016-0702 AKA https://cachebleed.info/
# - DROWN Attack / CVE-2016-0800 / CVE-2015-3197 / CVE-2016-0703 AKA https://www.drownattack.com/
# - heap corruption via BIO_printf / CVE-2016-0799 AKA https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/
# - CVE-2016-0705 AKA double free bug when parsing malformed DSA private keys
# - CVE-2016-0797 AKA integer overflow in the BN_hex2bn and BN_dec2bn functions
# - CVE-2016-0798 AKA memory leak in the SRP database lookup code
# Also see https://www.openssl.org/news/secadv/20160301.txt +
# https://security-tracker.debian.org/tracker/CVE-2016-$ID +
# https://lists.debian.org/debian-security-announce/2016/msg00071.html
#
# Useful tool: https://testssl.sh/
#
# NOTE: this playbook installs needrestart (on Debian/jessie and newer) or
# checkrestart from package debian-goodies (on Debian/wheezy and older) to
# identify which services require a restart, this playbook does NOT
# automatically restart any services by intention though!

- name: update openssl packages
  hosts: all
  sudo: True
  sudo_user: root
  # serial: 1 # uncomment to apply update one server at a time
  vars:
    # NOTE - this is JFTR, we can't really compare against those
    # versions as the according hosts might not have the latest
    # available package installed before the fixed packages appeared
    affected_versions:
      - 0.9.8g-15+lenny16 # lenny, fixed packages at https://github.com/anexia-it/debian-packages
      - 0.9.8o-4squeeze14 # squeeze / squeeze-security, fixed packages at https://people.debian.org/~mika/openssl_20160301/
      - 0.9.8o-4squeeze23 # squeeze-lts, fixed packages at https://people.debian.org/~mika/openssl_20160301/
      - 1.0.1e-2+deb7u17  # wheezy, fixed with 1.0.1e-2+deb7u20
      - 1.0.1e-2+deb7u19  # wheezy-p-u, fixed with 1.0.1e-2+deb7u20
      - 1.0.1e-2+deb7u19  # wheezy-security, fixed with 1.0.1e-2+deb7u20
      - 1.0.1k-3+deb8u2   # jessie / jessie-security, fixed with 1.0.1k-3+deb8u4
      - 1.0.2f-2          # sid, no fixed packages available yet
    fixed_versions:
      - 0.9.8g-15+lenny17~anexia1 # lenny
      - 0.9.8o-4squeeze24~lts1    # squeeze
      - 1.0.1e-2+deb7u20          # wheezy
      - 1.0.1k-3+deb8u4           # jessie
  tasks:
    - name: Ensure dependencies are installed + cache is up2date
      apt: pkg="{{ item }}" state=latest update_cache=yes
      with_items:
        - aptitude
      when: ansible_os_family == 'Debian'

    - name: Check for needrestart package
      shell: dpkg-query -f '${Status}\n' --show needrestart
      ignore_errors: yes
      register: needrestart_status
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: Check for debian-goodies package
      shell: dpkg-query -f '${Status}\n' --show debian-goodies
      ignore_errors: yes
      register: checkrestart_status
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: Install needrestart package on Debian jessie and newer
      apt: pkg=needrestart state=latest
      when: ansible_os_family == 'Debian' and ansible_distribution_major_version >= "8" and "{{ needrestart_status.stdout }}" != "install ok installed"

    - name: Install debian-goodies package for checkrestart on Debian wheezy and older
      apt: pkg=debian-goodies state=latest
      when: ansible_os_family == 'Debian' and ansible_distribution_major_version <= "7" and "{{ checkrestart_status.stdout }}" != "install ok installed"

    - name: Recheck for needrestart package
      shell: dpkg-query -f '${Status}\n' --show needrestart
      ignore_errors: yes
      register: needrestart_present
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: Recheck for debian-goodies package
      shell: dpkg-query -f '${Status}\n' --show debian-goodies
      ignore_errors: yes
      register: checkrestart_present
      changed_when: False
      when: ansible_os_family == 'Debian'

    # this check is also needed to ensure we don't install openssl
    # on a host which didn't have openssl installed yet, sadly
    # ansible doesn't support apt-get's --only-upgrade yet :(
    - name: Identify original OpenSSL version
      shell: dpkg-query -f '${Version}\n' --show openssl
      register: openssl_version_original
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: Check for outstanding upgrades
      shell: aptitude -q -F%p --disable-columns search "~U"
      register: outstanding_updates
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: List packages to upgrade
      debug: msg="{{ outstanding_updates.stdout_lines | count }} packages to upgrade ({{ outstanding_updates.stdout_lines | join(', ') }})"
      when: ansible_os_family == 'Debian' and outstanding_updates.stdout_lines

    - name: Check for outstanding service restarts via checkrestart
      shell: checkrestart | awk '/^service/ {print $2}'
      register: services_checkrestart
      changed_when: False
      when: ansible_os_family == 'Debian' and checkrestart_present

    - name: Check for outstanding service restarts via needrestart
      shell: needrestart -rl 2>&1 | awk '/^service / {print $2}'
      register: services_needrestart
      changed_when: False
      when: ansible_os_family == 'Debian' and needrestart_present

    - name: List services requiring restart (using checkrestart)
      debug: msg="{{ services_checkrestart.stdout_lines | count }} services to restart ({{ services_checkrestart.stdout_lines | join (', ') }})"
      when: ansible_os_family == 'Debian' and services_checkrestart and services_checkrestart.stdout_lines

    - name: List services requiring restart (using needrestart)
      debug: msg="{{ services_needrestart.stdout_lines | count }} services to restart ({{ services_needrestart.stdout_lines | join (', ') }})"
      when: ansible_os_family == 'Debian' and services_needrestart and services_needrestart.stdout_lines

    - name: "Update openssl packages (only if already installed)"
      apt: pkg="{{ item }}" state=latest
      with_items:
        - openssl
      when: ansible_os_family == 'Debian' and openssl_version_original

    - name: Identify current OpenSSL version
      shell: dpkg-query -f '${Version}\n' --show openssl
      register: openssl_version_current
      changed_when: False
      when: ansible_os_family == 'Debian'

    - name: Display current OpenSSL version
      debug: msg="openssl version on {{ ansible_hostname }} originally was {{ openssl_version_original.stdout }}, now is {{ openssl_version_current.stdout }}"
      changed_when: False
      when: ansible_os_family == 'Debian' and openssl_version_original.stdout

    - name: Report unfixed OpenSSL version
      fail: msg="openssl version on {{ ansible_hostname }} is unfixed version {{ openssl_version_current.stdout }}"
      when: ansible_os_family == 'Debian' and openssl_version_current.stdout not in "{{ fixed_versions }}"