[ask] Upgrade for CVE-2011-3872 AltNames Vulnerability
2 views
Skip to first unread message
heriyanto
Oct 24, 2011, 11:28:38 PM10/24/11
to puppet...@googlegroups.com
Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
my plan upgrade puppet master first then the agent, whether the
configuration I can still be used?
if use version 2.6.12 as a puppet master and agent still 2.6.6 for
temporary then after that i upgrade to 2.6.12 for the agent?
because my configuration already complex, and also using certdnsnames.
Or anybody have good plan for upgrading? i can't recreate CA because i
have much hosts.
my plan upgrade puppet master first then the agent, whether the
configuration I can still be used?
if use version 2.6.12 as a puppet master and agent still 2.6.6 for
temporary then after that i upgrade to 2.6.12 for the agent?
because my configuration already complex, and also using certdnsnames.
Or anybody have good plan for upgrading? i can't recreate CA because i
have much hosts.
Best regards,
Heriyanto
Nigel Kersten
Oct 25, 2011, 12:12:55 PM10/25/11
to puppet...@googlegroups.com
Upgrading the master is the important part, not the agents, but you should ultimately do them as well anyway.
How many hosts do you have? If you can cluster SSH commands to them you can follow the SSH recipe for migrating them to a new CA.
or if you can cope with a webrick master, we have a recipe there that will work for 2.6.x and 2.7.x webrick puppet masters.
If you have some other setup, you may be able to fork that module and modify it to work with your deployment.
Best regards,
Heriyanto
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
Product Manager, Puppet Labs
heriyanto
Oct 25, 2011, 11:31:32 PM10/25/11
to puppet...@googlegroups.com
Thank for your reply Nigel,
my host is about hundreds.
Is it ok if i just upgrade puppetmaster to 2.6.12 and still using old puppet.conf with certdnsnames?
if is work well, after that i upgrade all my agent.
Thank you for any reply.
my host is about hundreds.
Is it ok if i just upgrade puppetmaster to 2.6.12 and still using old puppet.conf with certdnsnames?
if is work well, after that i upgrade all my agent.
Thank you for any reply.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
Peter Meier
Oct 26, 2011, 3:57:41 AM10/26/11
to puppet...@googlegroups.com
> Is it ok if i just upgrade puppetmaster to 2.6.12 and still using
> old puppet.conf with certdnsnames?
> old puppet.conf with certdnsnames?
The certdnsnames have been abandonned in favor of a new option:
http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames
And if your current client certificates contain a master
altSubjectName, you need to rollout a new (from the ground up) CA.
Otherwise you're still subject to a possible attack with old certs.
The notes released by puppetlabs are quite detailed about that:
http://puppetlabs.com/security/cve/cve-2011-3872/
Unfortunately, if you are affected, this issue is *not* fixed by
simply updating a package.
~pete
Reply all
Reply to author
Forward
0 new messages