Announce: Puppet Enterprise 3.2.2 is now available
Melissa Stone
Puppet Enterprise 3.2.2 is now available.
This is a security and bugfix release of Puppet Enterprise. All users of Puppet Enterprise 3.x are encouraged to upgrade when possible to Puppet Enterprise 3.2.2
Puppet Enterprise 3.2.2 includes fixes to address CVE-2014-2525, CVE-2014-0098, and CVE-2013-6438. For information on the bug fixes in this release, see http://docs.puppetlabs.com/pe/latest/appendix.html#release-notes
We want to emphasize that Puppet Enterprise does not need to be patched for Heartbleed.
No version of Puppet Enterprise has been shipped with a vulnerable version of OpenSSL, so Puppet Enterprise is not itself vulnerable to the security bug known as Heartbleed, and does not require a patch from Puppet Labs.
However, some of your Puppet Enterprise-managed nodes could be running operating systems that include OpenSSL versions 1.0.1 or 1.0.2, and both of these are vulnerable to the Heartbleed bug. Since tools included in Puppet Enterprise, such as PuppetDB and the Console, make use of SSL certificates we believe the safest, most secure method for assuring the security of your Puppet-managed infrastructure is to regenerate your certificate authority and all OpenSSL certificates.
We have outlined the remediation procedure to help make it an easy and fail-safe process. You’ll find the details here: Remediation for Recovering from the Heartbleed Bug.
We’re here to help. If you have any issues with remediating the Heartbleed vulnerability, one of your authorized Puppet Enterprise support users can always log into the customer support portal. We’ll continue to update the email list with any new information as it comes out.
Additional Information
Heartbleed and Puppet-Supported Operating Systems
https://puppetlabs.com/blog/heartbleed-and-puppet-supported-operating-systems
Heartbleed Update: Regeneration Still the Safest Path
https://puppetlabs.com/blog/heartbleed-update-regeneration-still-safest-path
As a current Puppet Enterprise user, you can upgrade to this new version as part of your annual subscription. If upgrading, it is recommended to upgrade your master and console servers first.
As always, we want to hear about your experiences with Puppet Enterprise. If you have any questions about upgrading, be sure to get in touch with Puppet Labs Support.