Description: "Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior." MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7942 Workaround: Change config, as per description: strict_hostname_checking = true
graff will handle 5.x (as he 'owns' those). I'll fast stable the 6.x versions now with removal.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d844c528958bc3ad7361388452ec582dc9ccaf19 commit d844c528958bc3ad7361388452ec582dc9ccaf19 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-03-01 02:56:45 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-03-01 02:57:17 +0000 app-admin/puppet: 6.13.0 fast stable for CVE-2020-7942 With Cleanup Bug: https://bugs.gentoo.org/711138 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-admin/puppet/Manifest | 1 - app-admin/puppet/puppet-6.12.0.ebuild | 139 ---------------------------------- app-admin/puppet/puppet-6.13.0.ebuild | 2 +- 3 files changed, 1 insertion(+), 141 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d7c75bf414d90095fc715f10a989b6e27e6228a commit 5d7c75bf414d90095fc715f10a989b6e27e6228a Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2020-03-01 02:55:32 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2020-03-01 02:57:16 +0000 app-admin/puppet-agent: 6.13.0 fast stable for CVE-2020-7942 Has cleanup as well Bug: https://bugs.gentoo.org/711138 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> app-admin/puppet-agent/Manifest | 2 - app-admin/puppet-agent/metadata.xml | 12 +++- app-admin/puppet-agent/puppet-agent-6.12.0.ebuild | 77 ----------------------- app-admin/puppet-agent/puppet-agent-6.13.0.ebuild | 2 +- 4 files changed, 12 insertions(+), 81 deletions(-)
removing self from bug as my versions are cleaned up
Quoting from the upstream notice: Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 So nothing to be done for puppet 5.x.
GLSA Vote: No! Repository is clean, all done!
Reopening for cleanup. This has been modified since last change. https://puppet.com/security/cve/CVE-2020-7942/ Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
Since the change we need to clean up a bit: Available versions: 5.5.17^t ~5.5.18^t ~5.5.19^t ~5.5.19-r1^t 6.13.0^t ~6.14.0 We need to stable 5.5.19 or 5.5.19-r1
CVE-2020-7942 (https://nvd.nist.gov/vuln/detail/CVE-2020-7942): Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
The earlier list of affected versions never listed 5.5 versions so there were not included in the stable report.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Cleanup done.
