| Puppet Version: 5.5.10
Puppet Server Version: N/A
OS Name/Version: Ubuntu 20.04 Focal Fossa Desired Behavior: When running puppet apply, file source URIs like puppet:///modules/php7_4/opt/composer/composer should be interpreted as a reference to a local file. Actual Behavior: Instead, the URI is interpreted as having a hostname with value "" (empty string), which results in error message Could not evaluate: Could not retrieve file metadata for puppet:///modules/php7_4/opt/composer/composer: Failed to open TCP connection to :8140 (Connection refused - connect(2) for "" port 8140). I think the culprit is an update of package ruby2.7 on the affected system. See http://changelogs.ubuntu.com/changelogs/pool/main/r/ruby2.7/ruby2.7_2.7.0-5ubuntu1.9/changelog for the changelog entry: ruby2.7 (2.7.0-5ubuntu1.9) focal-security; urgency=medium * SECURITY UPDATE: ReDoS
- debian/patches/CVE-2023-28755-*.patch: URI.parse should set empty
string in host instead of nil in lib/uri/rfc3986_parser.rb, raise
ArgumentError with empty host url again in
lib/net/http/generic_request.rb.
- CVE-2023-28755
* SECURITY UPDATE: ReDos
- debian/patches/CVE-2023-28756-*.patch: fix quadratic backtracking on
invalid time and make RFC2822 regexp linear in lib/time.rb.
- CVE-2023-28756
* debian/patches/fix_test_generic.patch: fix test generic. -- Leonidas Da Silva Barbosa <leo.b...@canonical.com> Tue, 02 May 2023 05:34:05 -0300{} Sounds like due to this fix, a Puppet URI like puppet:///modules/... }}is suddenly interpreted as protocol=puppet, hostname=, path=/modules/..., although in the context of a {{puppet apply run, it is meant to refer to a local file. Because the URI parsers now returns the empty string for the hostname (instead of nil), follow-up code thinks it must do a DNS lookup for this hostname - and looking up the empty string of course fails. |
