Heartbleed and Puppet-Supported Operating Systems

[Eric Sorenson]

Like you, we are still learning about the full extent of the OpenSSL security bug dubbed Heartbleed, and what we need to do to help Puppet users remediate the vulnerability. We published step-by-step documentation for remediating yesterday [http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users], and we will continue to update you as we learn more and develop new resources.

We’ve finalized a list of vulnerable operating systems supported by Puppet Enterprise, noting the versions of OpenSSL they shipped with. If you are also running open source Puppet, be aware that the range of operating systems you can use is much wider, so not every vulnerable OS is on this list.

Keep in mind, regardless of the OS involved, you must check whether you are running OpenSSL versions 1.0.1 and 1.0.2 on your systems. Both are vulnerable.

Documentation for remediating the Heartbleed issue is linked below the lists. For more help, check out the Heartbleed and certificate discussions here on the email list
Vulnerable Operating Systems and their versions of OpenSSL
Debian Wheezy (stable)
* OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 (precise) LTS
* OpenSSL 1.0.1-4ubuntu5.11
RHEL / CentOS / Scientific 6.5
* OpenSSL 1.0.1e-15
Operating Systems that are Not Vulnerable
* RHEL / CentOS / OEL / Scientific 6 (other than 6.5)
* RHEL / CentOS / OEL / Scientific 5 (all versions)
* RHEL / CentOS 4
* SLES 11
* AIX 5, 6, 7
* Solaris 10, 11
* Windows (all)
* Debian Squeeze (old-stable)
* Ubuntu 10.04 (Lucid)

Step-by-Step Documentation for Remediating the Vulnerability

Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/3.2/trouble_regenerate_certs_split.html

Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/latest/trouble_regenerate_certs_monolithic.html

Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_split.html

Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
http://docs.puppetlabs.com/pe/2.8/trouble_regenerate_certs_monolithic.html

Puppet SSL: Regenerating All Certificates in a Puppet Deployment
http://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html

Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Darin Perusich]

You've listed SLES 11 as vulnerable, it is not. However OpenSUSE 12.3 and 13.1 are affected and patches have been released.

http://support.novell.com/security/cve/CVE-2014-0160.html
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/86C75987-61F4-4205-AFF5-5AD25A7946F6%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

[Moses Mendoza]

Hi Darin,

Just to clarify - I believe SLES 11 was listed under the section
"Operating Systems that are Not Vulnerable." Are you referring to a
different document that has been posted?

> https://groups.google.com/d/msgid/puppet-users/CADaviKtQGxn41o04-rFdfeU2ewFVAQkNPRrCqmr6OgfSaaTLqw%40mail.gmail.com.