[Pkg-puppet-devel] Bug#854487: Binary-only package puppet was silently converted into a package shipping and running a service

Tue Feb 7 16:36:20 UTC 2017

Package: puppet
Severity: critical
Tags: security
Justification: Potentially opens up a new security hole

Hi!

In the old days, users wanting the puppet binaries but not the puppet
daemon would install the puppet-common but not the puppet package [0].
This changed when puppet 4.5 was uploaded to Debian, now the puppet
package contained the binaries and the puppet-agent package contained
the service [1]. This transition was done properly, as the new service
packages would not be installed by default.

However, now somebody decided, that it's a good idea to drop the
puppet-agent package and move the service file back to the puppet
package [1]. This is bad, very, very bad. Here's why:

   1. As of today, there is no apparently no package shipping only the
      binaries but not the service files.
   2. I have quite a few systems where I occasionally run puppet manually,
      but which should never run puppet automatically.
   3. Those systems began to look for a puppet master at the default
      server address "puppet" recently as the new package version got
      installed.
   4. As a result, anybody with control over DNS could have responded and
      potentially taken over those systems.

Please understand that your change made my and potentially other
people's system vulnerable without even telling them about it. I urge
you strongly to revert this change!

Best regards

Alexander Kurtz

[0] https://packages.debian.org/source/jessie/puppet
[1] https://tracker.debian.org/news/771535
[2] https://tracker.debian.org/news/833773
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20170207/4530d50b/attachment.sig>