Announce: Puppet 3.6.2 [ Security and Bug fix Release ]
171 views
Skip to first unread message
Moses Mendoza
Jun 10, 2014, 2:19:05 PM6/10/14
to puppet-...@googlegroups.com, puppet...@googlegroups.com, puppe...@googlegroups.com
Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6
series. This release addresses CVE-2014-3248 and CVE-2014-3250.
** CVE-2014-3248 **
Arbitrary Code Execution with Required Social Engineering
An attacker could convince an administrator to unknowingly create and
execute malicious code on platforms with Ruby 1.9.1 and earlier.
CVSSv2 Score: 5.2
Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
Affected Puppet versions (ruby 1.9.1 and earlier platforms only):
All
Fixed Puppet versions:
3.6.2
2.7.26*
** CVE-2014-3250 **
Information Leakage Vulnerability
In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl,
which defaults it to none and must be explicitly configured. This
setting enables checking of a certificate revocation list. The default
Puppet master vhost config shipped with Puppet does not include this
setting. If a Puppet master is set up to run with Apache 2.4, and this
default vhost configuration file is used, the Puppet master will
continue to honor a host's certificate even after it is revoked.
CVSSv2 Score: 3.1
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Affected Puppet versions:
All (must be configured as a master behind Apache 2.4 using the
default puppet master vhost).
Fixed Puppet versions:
3.6.2
For more information on these vulnerabilities, please visit
https://puppetlabs.com/security/cve/cve-2014-3248
https://puppetlabs.com/security/cve/cve-2014-3250
## Bug Fixes
Chatty warning/deprecation messages can now be suppressed – as we near
the end of the 3.x series, there's going to be a slew of deprecations
coming which need to be visible so everyone knows what's going to
change, but some messages trigger tons of log spam, so now it's
possible to turn them off.
Directory environments under webrick now work; they no longer fail
with "Attempted to pop, but already at root of the context stack"
errors.
A memory leak in loading functions was fixed.
Community shout-out for this release goes to Joshua Hoblitt for
testing the memory leak patch and providing awesome usage graphs
(PUP-2692).
Please read through the Release Notes for the full list of changes:
http://docs.puppetlabs.com/puppet/latest/reference/release_notes.html
To install Puppet, follow the Installation
Guide:http://docs.puppetlabs.com/guides/install_puppet/pre_install.html
To report issues with the release, file a ticket in the “PUP” project
on https://tickets.puppetlabs.com/ and set the “Affects version/s”
field to "3.6.2”.
* The Puppet 2.7.x series is officially end of life, but continues to
be maintained by community members. See the release announcement to
puppet-announce/puppet-users/puppet-dev regarding Puppet 2.7.26.
--
Moses Mendoza
Puppet Labs
Join us at PuppetConf 2014, September 20-24 in San Francisco
Register by July 31st to take advantage of the Early Bird discount —save $249!
series. This release addresses CVE-2014-3248 and CVE-2014-3250.
** CVE-2014-3248 **
Arbitrary Code Execution with Required Social Engineering
An attacker could convince an administrator to unknowingly create and
execute malicious code on platforms with Ruby 1.9.1 and earlier.
CVSSv2 Score: 5.2
Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
Affected Puppet versions (ruby 1.9.1 and earlier platforms only):
All
Fixed Puppet versions:
3.6.2
2.7.26*
** CVE-2014-3250 **
Information Leakage Vulnerability
In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl,
which defaults it to none and must be explicitly configured. This
setting enables checking of a certificate revocation list. The default
Puppet master vhost config shipped with Puppet does not include this
setting. If a Puppet master is set up to run with Apache 2.4, and this
default vhost configuration file is used, the Puppet master will
continue to honor a host's certificate even after it is revoked.
CVSSv2 Score: 3.1
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Affected Puppet versions:
All (must be configured as a master behind Apache 2.4 using the
default puppet master vhost).
Fixed Puppet versions:
3.6.2
For more information on these vulnerabilities, please visit
https://puppetlabs.com/security/cve/cve-2014-3248
https://puppetlabs.com/security/cve/cve-2014-3250
## Bug Fixes
Chatty warning/deprecation messages can now be suppressed – as we near
the end of the 3.x series, there's going to be a slew of deprecations
coming which need to be visible so everyone knows what's going to
change, but some messages trigger tons of log spam, so now it's
possible to turn them off.
Directory environments under webrick now work; they no longer fail
with "Attempted to pop, but already at root of the context stack"
errors.
A memory leak in loading functions was fixed.
Community shout-out for this release goes to Joshua Hoblitt for
testing the memory leak patch and providing awesome usage graphs
(PUP-2692).
Please read through the Release Notes for the full list of changes:
http://docs.puppetlabs.com/puppet/latest/reference/release_notes.html
To install Puppet, follow the Installation
Guide:http://docs.puppetlabs.com/guides/install_puppet/pre_install.html
To report issues with the release, file a ticket in the “PUP” project
on https://tickets.puppetlabs.com/ and set the “Affects version/s”
field to "3.6.2”.
* The Puppet 2.7.x series is officially end of life, but continues to
be maintained by community members. See the release announcement to
puppet-announce/puppet-users/puppet-dev regarding Puppet 2.7.26.
--
Moses Mendoza
Puppet Labs
Join us at PuppetConf 2014, September 20-24 in San Francisco
Register by July 31st to take advantage of the Early Bird discount —save $249!
Byron Miller
Jun 16, 2014, 8:49:14 AM6/16/14
to puppet...@googlegroups.com, puppet-...@googlegroups.com, puppe...@googlegroups.com
Running puppet 3.6.2 and disable_warnings = deprecations appears to make no difference to prohibiting the alert about environments.
Stefan Heijmans
Jun 17, 2014, 5:29:02 AM6/17/14
to puppe...@googlegroups.com, puppet...@googlegroups.com, puppet-...@googlegroups.com
Aha, experienced the same thing last week, didn't have time to look into it yet...
Joshua Partlow
Jun 17, 2014, 12:35:28 PM6/17/14
to puppe...@googlegroups.com, puppet...@googlegroups.com
(I clipped puppet-announce from this thread)
Which deprecation warning are you continuing to see? There is an open issue with the disable_warnings, which is that static environment blocks in puppet.conf will continue to warn: https://tickets.puppetlabs.com/browse/PUP-2739
Is that the issue you are seeing?
thanks,
Josh
--To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/163f893b-3f66-497b-8618-a0213583e74e%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+...@googlegroups.com.
Josh Partlow
Stefan Heijmans
Jun 18, 2014, 6:33:16 AM6/18/14
to puppe...@googlegroups.com, puppet...@googlegroups.com
Hi Josh,
On Tuesday, June 17, 2014 6:35:19 PM UTC+2, Joshua Partlow wrote:
Is that the issue you are seeing?
Sorry for the confustion but I had the deprecation warning from the package type; allow_virtual parameter.
Fixed it yesterday, had disable_warnings in the wrong location.
Stefan
Byron Miller
Jun 19, 2014, 9:11:49 AM6/19/14
to puppet...@googlegroups.com, puppe...@googlegroups.com
Josh,
Yeah, i'm getting warning on environments still. I run theforeman which doesn't support the new environments yet, so i was just curious if i could sleep the error until foreman is patched up.
-byron
Yeah, i'm getting warning on environments still. I run theforeman which doesn't support the new environments yet, so i was just curious if i could sleep the error until foreman is patched up.
-byron
Joshua Partlow
Jun 23, 2014, 2:04:49 AM6/23/14
to puppe...@googlegroups.com, puppet...@googlegroups.com
On Thu, Jun 19, 2014 at 6:11 AM, Byron Miller <byr...@gmail.com> wrote:
Josh,
Yeah, i'm getting warning on environments still. I run theforeman which doesn't support the new environments yet, so i was just curious if i could sleep the error until foreman is patched up.
Yeah, unfortunately, if you are getting errors specifically for [env] stanzas in your puppet conf, those aren't currently being blocked; PUP-2739 will track progress on that issue. It doesn't currently have a fix version set, but you can chime in on the ticket.
Josh
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/edacff4a-ca6e-4efb-b6de-52cc3e64bf2f%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages