From 3050a956990fc526d1df73e42b5fe856a4674a72 Mon Sep 17 00:00:00 2001
From: Solal Nathan <otthorn@crans.org>
Date: Wed, 27 Jan 2021 14:36:14 +0100
Subject: [PATCH] Add playbook to deploy sudo update on all machines

---
 sudo_upgrade.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100755 sudo_upgrade.yml

diff --git a/sudo_upgrade.yml b/sudo_upgrade.yml
new file mode 100755
index 0000000..45b01ad
--- /dev/null
+++ b/sudo_upgrade.yml
@@ -0,0 +1,17 @@
+#!/usr/bin/env ansible-playbook
+---
+# This is a special playbook to upgrade sudo everywhere after the
+# CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
+# Please always use with --limit myserver.adm.auro.re
+# And list updates with --check
+- hosts: all
+  tasks:
+    - name: Upgrade sudo
+      apt:
+        name: sudo
+        state: latest
+        update_cache: true
+        cache_valid_time: 3600  # one hour
+      register: apt_result
+      retries: 3
+      until: apt_result is succeeded