Like you, we are still learning about the full extent of the OpenSSL security bug dubbed Heartbleed, and what we need to do to help Puppet users remediate the vulnerability. We published step-by-step documentation for remediating yesterday [
http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users], and we will continue to update you as we learn more and develop new resources.
We’ve finalized a list of vulnerable operating systems supported by Puppet Enterprise, noting the versions of OpenSSL they shipped with. If you are also running open source Puppet, be aware that the range of operating systems you can use is much wider, so not every vulnerable OS is on this list.
Keep in mind, regardless of the OS involved, you must check whether you are running OpenSSL versions 1.0.1 and 1.0.2 on your systems. Both are vulnerable.
Documentation for remediating the Heartbleed issue is linked below the lists. For more help, check out the Heartbleed and certificate discussions here on the email list
Vulnerable Operating Systems and their versions of OpenSSL
Debian Wheezy (stable)
* OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 (precise) LTS
* OpenSSL 1.0.1-4ubuntu5.11
RHEL / CentOS / Scientific 6.5
* OpenSSL 1.0.1e-15
Operating Systems that are Not Vulnerable
* RHEL / CentOS / OEL / Scientific 6 (other than 6.5)
* RHEL / CentOS / OEL / Scientific 5 (all versions)
* RHEL / CentOS 4
* SLES 11
* AIX 5, 6, 7
* Solaris 10, 11
* Windows (all)
* Debian Squeeze (old-stable)
* Ubuntu 10.04 (Lucid)
Step-by-Step Documentation for Remediating the Vulnerability
Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/3.2/trouble_regenerate_certs_split.html
Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/latest/trouble_regenerate_certs_monolithic.html
Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_split.html
Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_monolithic.html
Puppet SSL: Regenerating All Certificates in a Puppet Deployment
http://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html
Eric Sorenson -
eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles