Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711138 (CVE-2020-7942) - <app-admin/puppet-6.13.0: Inadequate certificate verification (CVE-2020-7942)
Summary: <app-admin/puppet-6.13.0: Inadequate certificate verification (CVE-2020-7942)
Status: RESOLVED FIXED
Alias: CVE-2020-7942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://puppet.com/security/cve/CVE-2...
Whiteboard: B4 [noglsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 02:16 UTC by Sam James
Modified: 2020-05-04 17:56 UTC (History)
3 users (show)

See Also:
Package list:
app-admin/puppet-5.5.19-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 02:16:04 UTC
Description:
"Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior."

MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7942

Workaround: Change config, as per description: strict_hostname_checking = true
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 02:53:20 UTC
graff will handle 5.x (as he 'owns' those).  I'll fast stable the 6.x versions now with removal.
Comment 2 Larry the Git Cow gentoo-dev 2020-03-01 02:57:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d844c528958bc3ad7361388452ec582dc9ccaf19

commit d844c528958bc3ad7361388452ec582dc9ccaf19
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-01 02:56:45 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-01 02:57:17 +0000

    app-admin/puppet: 6.13.0 fast stable for CVE-2020-7942
    
    With Cleanup
    
    Bug: https://bugs.gentoo.org/711138
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppet/Manifest             |   1 -
 app-admin/puppet/puppet-6.12.0.ebuild | 139 ----------------------------------
 app-admin/puppet/puppet-6.13.0.ebuild |   2 +-
 3 files changed, 1 insertion(+), 141 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d7c75bf414d90095fc715f10a989b6e27e6228a

commit 5d7c75bf414d90095fc715f10a989b6e27e6228a
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-01 02:55:32 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-01 02:57:16 +0000

    app-admin/puppet-agent: 6.13.0 fast stable for CVE-2020-7942
    
    Has cleanup as well
    
    Bug: https://bugs.gentoo.org/711138
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppet-agent/Manifest                   |  2 -
 app-admin/puppet-agent/metadata.xml               | 12 +++-
 app-admin/puppet-agent/puppet-agent-6.12.0.ebuild | 77 -----------------------
 app-admin/puppet-agent/puppet-agent-6.13.0.ebuild |  2 +-
 4 files changed, 12 insertions(+), 81 deletions(-)
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 02:58:00 UTC
removing self from bug as my versions are cleaned up
Comment 4 Hans de Graaff gentoo-dev 2020-03-01 07:42:48 UTC
Quoting from the upstream notice:

Affected software versions:

    Puppet 6.x prior to 6.13.0
    Puppet Agent 6.x prior to 6.13.0

So nothing to be done for puppet 5.x.
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:26:54 UTC
GLSA Vote: No!

Repository is clean, all done!
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-11 18:52:27 UTC
Reopening for cleanup.
This has been modified since last change.
https://puppet.com/security/cve/CVE-2020-7942/

Affected software versions:
Puppet 6.x prior to 6.13.0
Puppet Agent 6.x prior to 6.13.0
Puppet 5.5.x prior to 5.5.19
Puppet Agent 5.5.x prior to 5.5.19
Resolved in:

Puppet 6.13.0
Puppet Agent 6.13.0
Puppet 5.5.19
Puppet Agent 5.5.19
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-11 18:54:55 UTC
Since the change we need to clean up a bit:
Available versions:  5.5.17^t ~5.5.18^t ~5.5.19^t ~5.5.19-r1^t 6.13.0^t ~6.14.0

We need to stable 5.5.19 or 5.5.19-r1
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-04-11 18:55:41 UTC
CVE-2020-7942 (https://nvd.nist.gov/vuln/detail/CVE-2020-7942):
  Previously, Puppet operated on a model that a node with a valid certificate
  was entitled to all information in the system and that a compromised
  certificate allowed access to everything in the infrastructure. When a
  node's catalog falls back to the `default` node, the catalog can be
  retrieved for a different node by modifying facts for the Puppet run. This
  issue can be mitigated by setting `strict_hostname_checking = true` in
  `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the
  default behavior for strict_hostname_checking from false to true. It is
  recommended that Puppet Open Source and Puppet Enterprise users that are not
  upgrading still set strict_hostname_checking to true to ensure secure
  behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet
  Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x
  prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19
  Puppet Agent 5.5.19
Comment 9 Hans de Graaff gentoo-dev 2020-04-12 07:28:28 UTC
The earlier list of affected versions never listed 5.5 versions so there were not included in the stable report.
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-13 16:06:57 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-14 12:33:43 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 NATTkA bot gentoo-dev 2020-04-14 12:36:41 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 13 Hans de Graaff gentoo-dev 2020-04-15 04:21:35 UTC
Cleanup done.