712198 – (CVE-2020-7943) <app-admin/puppet{server,puppetdb}-6.9.1: Information leak via API endpoints to local network (CVE-2020-7943)

Bug 712198 (CVE-2020-7943) - <app-admin/puppet{server,puppetdb}-6.9.1: Information leak via API endpoints to local network (CVE-2020-7943)

Summary: <app-admin/puppet{server,puppetdb}-6.9.1: Information leak via API endpoints ...

Status:	RESOLVED FIXED

Alias:	CVE-2020-7943

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://puppet.com/security/cve/CVE-2...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-03-11 22:49 UTC by Sam James
Modified:	2020-03-15 01:49 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-11 22:49:48 UTC

Description:
"Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default."

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-11 22:54:55 UTC

@ maintainer(s): Please call for stabilization when ready!

Comment 2 Larry the Git Cow gentoo-dev

2020-03-12 01:19:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d62e24468acfa7aa3b170c7a02e47bdbe6b4ebb

commit 4d62e24468acfa7aa3b170c7a02e47bdbe6b4ebb
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-12 01:19:30 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-12 01:19:46 +0000

    app-admin/puppetdb: stablize 6.9.1 for amd64/x86 for CVE-2020-7943
    
    Bug: https://bugs.gentoo.org/712198
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppetdb/Manifest              |  2 -
 app-admin/puppetdb/puppetdb-6.8.0.ebuild | 92 --------------------------------
 app-admin/puppetdb/puppetdb-6.9.0.ebuild | 87 ------------------------------
 app-admin/puppetdb/puppetdb-6.9.1.ebuild |  2 +-
 4 files changed, 1 insertion(+), 182 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e248bbd4667c50465e9c1fa8517dc073369923b1

commit e248bbd4667c50465e9c1fa8517dc073369923b1
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-12 01:17:40 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-12 01:19:45 +0000

    app-admin/puppetserver: stablize 6.9.1 and cleanup for CVE-2020-7943
    
    Bug: https://bugs.gentoo.org/712198
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppetserver/Manifest                  |   2 -
 app-admin/puppetserver/metadata.xml              |   3 -
 app-admin/puppetserver/puppetserver-6.8.0.ebuild | 135 -----------------------
 app-admin/puppetserver/puppetserver-6.9.0.ebuild | 131 ----------------------
 app-admin/puppetserver/puppetserver-6.9.1.ebuild |   2 +-
 5 files changed, 1 insertion(+), 272 deletions(-)

Comment 3 Matthew Thode ( prometheanfire ) archtester

2020-03-12 01:20:24 UTC

cleaned up and stablized

Comment 4 Sam James archtester

2020-03-12 01:32:46 UTC

(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> cleaned up and stablized

Excellent, thank you for being so quick.

(Incorrect title was due to my tree not being up to date -- cron is setup now.)

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 01:49:32 UTC

GLSA Vote: No!

Repository is clean, all done!