Bug 824626 (CVE-2021-27023, CVE-2021-27025)

Summary:	app-admin/puppet, app-admin/puppet-agent: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	graaff, prometheanfire, ruby, sysadmin
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [ebuild]
Package list:		Runtime testing required:	---

Description Sam James archtester

2021-11-19 06:18:21 UTC

CVE-2021-27023 (https://puppet.com/security/cve/CVE-2021-27023):

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

CVE-2021-27025 (https://puppet.com/security/cve/cve-2021-27025):

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

(CCing graaff@ because it looks like CVE-2021-27025 affects Puppet 5 too?)

Comment 1 Hans de Graaff gentoo-dev

2021-11-19 07:06:21 UTC

(In reply to Sam James from comment #0)
> CVE-2021-27023 (https://puppet.com/security/cve/CVE-2021-27023):
> 
> A flaw was discovered in Puppet Agent and Puppet Server that may result in a
> leak of HTTP credentials when following HTTP redirects to a different host.
> This is similar to CVE-2018-1000007
> 
> CVE-2021-27025 (https://puppet.com/security/cve/cve-2021-27025):
> 
> A flaw was discovered in Puppet Agent where the agent may silently ignore
> Augeas settings or may be vulnerable to a Denial of Service condition prior
> to the first 'pluginsync'.
> 
> (CCing graaff@ because it looks like CVE-2021-27025 affects Puppet 5 too?)

Yes, looks like Puppet 5 is also affected, with no fixes from upstream. Backporting looks tricky, also because the security fix is part of a larger squashed merge commit so it's hard to tell what is actually needed.