Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712198 (CVE-2020-7943) - <app-admin/puppet{server,puppetdb}-6.9.1: Information leak via API endpoints to local network (CVE-2020-7943)
Summary: <app-admin/puppet{server,puppetdb}-6.9.1: Information leak via API endpoints ...
Status: RESOLVED FIXED
Alias: CVE-2020-7943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://puppet.com/security/cve/CVE-2...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-11 22:49 UTC by Sam James
Modified: 2020-03-15 01:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-11 22:49:48 UTC
Description:
"Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.

PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default."
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-03-11 22:54:55 UTC
@ maintainer(s): Please call for stabilization when ready!
Comment 2 Larry the Git Cow gentoo-dev 2020-03-12 01:19:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d62e24468acfa7aa3b170c7a02e47bdbe6b4ebb

commit 4d62e24468acfa7aa3b170c7a02e47bdbe6b4ebb
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-12 01:19:30 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-12 01:19:46 +0000

    app-admin/puppetdb: stablize 6.9.1 for amd64/x86 for CVE-2020-7943
    
    Bug: https://bugs.gentoo.org/712198
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppetdb/Manifest              |  2 -
 app-admin/puppetdb/puppetdb-6.8.0.ebuild | 92 --------------------------------
 app-admin/puppetdb/puppetdb-6.9.0.ebuild | 87 ------------------------------
 app-admin/puppetdb/puppetdb-6.9.1.ebuild |  2 +-
 4 files changed, 1 insertion(+), 182 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e248bbd4667c50465e9c1fa8517dc073369923b1

commit e248bbd4667c50465e9c1fa8517dc073369923b1
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2020-03-12 01:17:40 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2020-03-12 01:19:45 +0000

    app-admin/puppetserver: stablize 6.9.1 and cleanup for CVE-2020-7943
    
    Bug: https://bugs.gentoo.org/712198
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 app-admin/puppetserver/Manifest                  |   2 -
 app-admin/puppetserver/metadata.xml              |   3 -
 app-admin/puppetserver/puppetserver-6.8.0.ebuild | 135 -----------------------
 app-admin/puppetserver/puppetserver-6.9.0.ebuild | 131 ----------------------
 app-admin/puppetserver/puppetserver-6.9.1.ebuild |   2 +-
 5 files changed, 1 insertion(+), 272 deletions(-)
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-12 01:20:24 UTC
cleaned up and stablized
Comment 4 Sam James archtester gentoo-dev Security 2020-03-12 01:32:46 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> cleaned up and stablized

Excellent, thank you for being so quick.

(Incorrect title was due to my tree not being up to date -- cron is setup now.)
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-03-15 01:49:32 UTC
GLSA Vote: No!

Repository is clean, all done!