[ANNOUNCE] PE and Puppet Agent releases pulled

116 views
Skip to first unread message

Rob Braden

unread,
Jun 9, 2018, 12:25:13 AM6/9/18
to puppet...@googlegroups.com

Dear Puppet and PE customers,


We discovered a critical corruptive permissions issue with the Windows packages for puppet-agent 1.10.13, 5.3.7, and 5.5.2. We have taken down these builds and the associated Puppet Enterprise releases that contain them: 2016.4.12, 2017.3.7, and 2018.1.1. If you have already downloaded these versions, please do not install them or use them to upgrade any Windows agents.


In some instances, the Windows installer is resetting permissions incorrectly across the node’s filesystem. It’s not clear that it affects 100% of installs.


These releases included security fixes. If you have already installed or upgraded, the code in this gist can be run to remediate an unsafe permissions issue on Windows that was addressed in the pulled releases (CVE-2018-6513).


We are working very hard to ship updated builds as soon as they are available. Please follow this thread or the Puppet Agent ticket for updates.


Our sincere apologies for the inconvenience.


Thanks,

Rob Braden
Puppet Release Team

Larissa Lane

unread,
Jun 11, 2018, 10:09:35 PM6/11/18
to pe-u...@puppet.com, puppet...@googlegroups.com

Puppet Windows Community:


On Friday, some users experienced changes to permissions when upgrading Windows agents to one of the puppet-agent versions listed below using the Chocolatey package manager. Since Friday, we have been working very hard to resolve this issue.  On Friday, all of the affected versions were removed from our download site, soon after the issue was first reported.


We currently have a fix merged. We will ship updated packages as soon as they are available.


This issue appears to be limited to a very specific set of circumstances that are described below. Please follow the Jira ticket PA-2075 if you are interested in tracking progress on this issue.


Affected versions:

Puppet Agent 1.10.13, 5.3.7, and 5.5.2
These Puppet Agent versions were included in Puppet Enterprise 2016.4.12, 2017.3.7, and 2018.1.1


Overview of the issue:

In specific circumstances, the Puppet Agent 5.5.2 (and 1.10.13, 5.3.7) MSI installers were triggering a permissions change unexpectedly. This issue does not occur when using our recommended method for installing or upgrading the Puppet Agent.


This issue can be triggered if you attempt to run the MSI installer for an affected version a second time from the command line when that version is already installed. This is typically seen when attempting to manage the puppet-agent package using the Chocolatey package provider. The MSI installer shuts down any running Puppet services, which shuts down Chocolatey as well, leaving the MSI to complete the install. Then when checked in subsequent runs, Chocolatey sees the package installation as pending and removes it, causing it to push through a second run of the package installation and MSI installer, triggering the behavior. For more details, see https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084.


Note that the Foreman puppet module uses the chocolatey package provider to upgrade puppet-agent by default on Windows. Therefore, it is likely that Foreman users that tried to upgrade puppet-agent on Windows to these affected versions were impacted by this issue.


What actions is Puppet taking?


We have removed these installers from our public download locations. We have a fix merged, which is currently undergoing testing and will be released as soon as that is completed.  


How can I fix affected Windows nodes?


Due to the nature of the problem, it's difficult for Puppet to give direct advice. If the installation process was aborted early, only some directories would have their owner changed. If the installation process completed, all directories would have their permissions changed.


* If you have a support agreement with Puppet and need assistance, please contact us through https://support.puppet.com


* If you have a support agreement with Microsoft, they may be able to assist you with specific errors in your Windows environment.


We sincerely apologise for the inconvenience. 

Larissa Lane
Product Manager, Puppet

--
You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+unsubscribe@puppet.com.
Visit this group at https://groups.google.com/a/puppet.com/group/pe-users/.



--
Larissa Lane
Product Manager 

Larissa Lane

unread,
Jun 13, 2018, 1:19:07 AM6/13/18
to pe-u...@puppet.com, puppet...@googlegroups.com, Puppet Enterprise Announcements
Update on Puppet Agent and Puppet Enterprise releases:

Thank you for your patience as we have been working around the clock to fix the Puppet Agent and Puppet Enterprise releases that we had to take down from our downloads site on Friday last week. The releases were taken down immediately after discovering a critical issue affecting Windows users who attempted to do an in-place upgrade of Puppet Agent using Chocolatey, due to an issue in the MSI package. 

We have resolved the issue and have both Puppet Agent and PE releases tagged and ready for release tomorrow morning, US Pacific Daylight Time. 

A huge thank you to members of the Puppet community who helped us pinpoint the problem so quickly, along with the specific set of conditions that triggered the issue. 

If you are unclear on the supported options for upgrading Puppet Agent, please refer to our documentation

Larissa Lane
Product Manager, Puppet
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppet.com.
Reply all
Reply to author
Forward
0 new messages