mysql_patch_CVE-2016-6662.yml

---
# This simple playbook will try to patch mysqld_safe against CVE-2016-6662
# using the Percona patch. More info about the vulnerability is available at 
# https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662

- hosts: '{{ targets }}'
  become: yes
  vars:
    - fs_script_args: "{{ fs_fix_permissions | default(false) | ternary('-j -f', '-j') }}"
  tasks:
  - name: Install patch if not available
    package: >
      name=patch
      state=present
    register: we_installed_patch
  - name: Find mysql_safe location
    command: 'which mysqld_safe'
    register: mysqld_safe
    changed_when: false
    ignore_errors: true
  - name: Remove vulnerable Percona patch
    patch: >
      backup=yes
      dest={{ mysqld_safe.stdout }}
      src=cve-2016-6662-undo-percona.patch
    when: mysqld_safe|success
    register: undo_percona_patch
  - name: Patch mysql_safe to guard against CVE-2016-6662
    patch: >
      backup=yes
      dest={{ mysqld_safe.stdout }}
      src=cve-2016-6662.patch
    when: mysqld_safe|success and undo_percona_patch|success
  - name: Remove patch again if we installed it
    package: >
      name=patch
      state=absent
    when: we_installed_patch|changed
  - name: Check the filesystem permissions
    script: fs-cve-2016-6662.sh {{ fs_script_args }} 
    register: cve_fs_check
    ignore_errors: true
    failed_when: "'WARNING' in cve_fs_check.stdout"
  - debug: var=cve_fs_check.stdout