(NOTE: Upstream has requested that distributions not disclose vulnerability until announced on their end - do not make this bug public)
Puppet Labs has discovered a critical vulnerability in the SSL
infrastructure behind Puppet.
This vulnerability is not yet public. Your discretion is required.
# Summary #
An attacker with root-level access to a Puppet agent can use the agent
SSL certificate to impersonate a Puppet Master when communicating with
CVE-2011-3872 has been assigned to this vulnerability.
It will be disclosed with remediation procedures to the general public
24 Oct 2011, at 20:00 UTC.
We realize this is short notice, and we’re available to help in any way we can.
# Risk #
If exploited, this vulnerability would allow an attacker to gain
control of all Puppet-managed nodes signed by the same Certificate
Note that beyond the updated code base, previously signed certificates
in the wild may still expose users to risk. A complete remediation
guide and solution will be made available with the general
announcement of the vulnerability at the following location:
# Fixes #
The easiest solution is to move to the new upstreams available as
2.7.6 or 2.6.12.
Fixing this vulnerability is done with a rather large commit series.
We (Puppet Labs) are happy to help get this patch series applied on
top of your existing packages if your distribution policy mandates you
keep shipping the same version of Puppet. If you require our
assistance, please let us know as soon as possible, and include what
your version is, and what patches (either from Puppet Labs or your
own) that you are currently applying/carrying.
Puppet Labs has patched this vulnerability and will be releasing new
versions of Puppet that include this fix.
Note that these releases are available early for packaging. The
upstream tarballs will be available in our normal download locations
after public announcement, and these links may disappear later next
## Puppet 2.7.x ##
- Puppet 2.7.6 (which was ready to release via our normal process)
includes these fixes.
We are also making available a patch series that applies cleanly via
git am to 2.7.5.
## Puppet 2.6.x: ##
- We are releasing Puppet 2.6.12. As with previous security release
fixes for the 2.6.x series, this is simply the last release plus these
## Puppet 0.25.x ##
- We are releasing Puppet 0.25.6. This is not just the last release
plus this security fix as we’ve had some repository housecleaning
issues. If your distro policies mean you cannot adopt this release,
let us know and we’ll try to help with a specific patch. We will need
specific versions to go down this path. Alternatively we can give you
a patch that removes certdnsnames functionality altogether that will
be significantly simpler to provide.
There will be no official announcements made about the release of 0.25.6.
## Puppet 0.24.x ##
-- Puppet Labs will only be providing a patch that removes the
certdnsnames option all together.
## Puppet Enterprise ##
Puppet Enterprise will have hotfixes and updates available as well by
public announcement time.
# Plan of Action #
We ask that you have packages ready to distribute Monday, 24 Oct at
20:00 UTC (13:00 PDT).
If you need any assistance from Puppet Labs to accomplish this,
*please* let us know as early as possible and *we can help*.
Please consider this information CONFIDENTIAL until that such a time.
Further information will be available at
If you need assistance, or have questions, please let us know.
Release Manager - Puppet Labs
This time frame is likely too short for a prestabling, but let's try.
matsuu, please prepare an ebuild for 2.6.12 based on the distfile below and attach it to this bug. Do NOT commit anything to CVS until the embargo is lifted. We'll do prestabling on this bug.
This is public now as per $URL.
matsuu, update now directly to CVS please.
*** Bug 388449 has been marked as a duplicate of this bug. ***
2.6.12 and 2.7.6 in cvs.
please mark stable puppet-2.6.12
Arches please test and mark stable:
target KEYWORDS : "amd64 hppa ppc sparc x86"
Stable for HPPA.
amd64 done. Thanks Agostino and Ian
ppc done; closing as last arch
Please not close security bug.
Added glsa vote request.
Thanks, everyone. GLSA Vote: yes.
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise
(PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent
certificate, adds the Puppet master's certdnsnames values to the X.509
Subject Alternative Name field of the certificate, which allows remote
attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack
against an agent that uses an alternate DNS name for the master, aka
On existing GLSA draft.
This issue was resolved and addressed in
GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml
by GLSA coordinator Sean Amoss (ackle).