[Pkg-puppet-devel] Bug#712745: Bug#712745: Bug#712745: puppet: CVE-2013-3567
Chris Boot
crb at tiger-computing.co.uk
Tue Aug 20 09:22:28 UTC 2013
On 20/08/13 10:02, Raphael Geissert wrote:
> Hi again,
>
> On 31 July 2013 17:43, Chris Boot <crb at tiger-computing.co.uk> wrote:
>> This patch isn't part of 2.7.18-5, which is currently in wheezy. We've
>> had to roll our own update internally that includes the patch in order
>> to correctly process reports from other servers.
>
> Are you sure that this issue wasn't already present before the security update?
> After reviewing all the fields I don't see any extra being added or
> deleted. There is one issue, however, where the report format wasn't
> bumped to version 3 but this comes from upstream:
> http://projects.puppetlabs.com/issues/15739
>
> You could check if that is the issue by modifying
> transaction/report.rb's initialize to @report_format = 3.
Apologies for not sending the debdiff like I said I would. I'll get onto
this now.
We were running 2.7.18-3~bpo60+1 on squeeze without issues. Following
the wheezy upgrade (and going straight to 2.7.18-5) we started seeing
the issues with reports not being processed correctly. The only change I
can attribute this to is the fix for CVE-2013-3567.
The issue was causing reports from squeeze machines (running
2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
version of Puppet, causing invalid reports to be stored to disk and sent
to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
master causes valid reports to be stored on disk and sent to Dashboard
with no changes to the slave nodes.
HTH,
Chris
--
Chris Boot
Tiger Computing Ltd
"Linux for Business"
Tel: 01600 483 484
Web: http://www.tiger-computing.co.uk
Follow us on Facebook: http://www.facebook.com/TigerComputing
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
More information about the Pkg-puppet-devel
mailing list