# Update software to address CVE-2020-14372
# 
# Find the latest information about this issue, including any updates to this playbook,
# on the security bulletin:
# https://access.redhat.com/security/vulnerabilities/RHSB-2021-003
#
# Playbook Ver. 1.0
#
# This playbook will update affected packages if they are installed:
#   * grub2-efi
#   * shim
#   * fwupd
#   * fwupdate
#
# To use it, define the HOSTS variable with the hosts you'd like to modify:
# ansible-playbook -e HOSTS=container_host,dev01 CVE-2020-14372-update_fixit.yml

- name: Update software to address CVE-2020-14372
  hosts: "{{ HOSTS }}"
  become: true
  vars:
    affected_packages:
      - grub2
      - grub2-pc
      - grub2-efi
      - grub2-efi-x64
      - grub2-efi-ia32
      - grub2-efi-aa64
      - shim
      - shim-x64
      - shim-ia32
      - fwupd
      - fwupdate

  tasks:
    - name: Detecting /run/ostree-booted
      stat:
        path: /run/ostree-booted
      register: ostree_booted

    - when: ostree_booted.stat.exists
      fail:
        msg: "This playbook is not supported on RHEL Atomic Host and OpenShift Container Platform 4 (RHEL CoreOS). Please see the security bulletin for more information: https://access.redhat.com/security/vulnerabilities/RHSB-2021-003

    - when: not ostree_booted.stat.exists
      block:
        - name: Collect installed packages
          command: warn=no rpm -qa --queryformat="%{NAME}\n"
          register: rpm_qa
          failed_when: false
          changed_when: false
          check_mode: no

        - name: Check for affected packages
          set_fact:
            installed_affected: "{{ rpm_qa.stdout_lines | intersect(affected_packages) }}"

        - name: Update affected packages
          yum:
            name: "{{ installed_affected }}"
            state: latest