Do not install the latest packages with package managers

package_latest

Severity

high

Vendor

Ansible

Resource

General Security

Description

Do not install the latest packages with package managers. When the latest version is installed in production the packages installed could be not tested and the package manager can install new packages, those packages could contain malicious code or security vulnerabilities.

Learn more about this topic at Ansible package latest.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible
        state: latest # <- Installs the latest package.

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
      args:
        state: latest # <- Installs the latest package.

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: latest # <- Installs the latest package.

    - name: Install Ansible with update_only to false
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: false # <- Updates and installs packages.

yml

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible-2.12.7.0
        state: present # <- Pins the version to install with yum.

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
      args:
        state: present
        version: 5.4.0 # <- Pins the version to install with pip.

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: present # <- Ensures the package is installed.

    - name: Update Ansible with update_only to true
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: true # <- Updates but does not install additional packages.

yml