[Pkg-puppet-devel] Wheezy update of puppet?

Tue Jun 27 15:53:24 UTC 2017

On 2017-05-24 12:51:54, Apollon Oikonomopoulos wrote:
> On 23:44 Mon 22 May     , Apollon Oikonomopoulos wrote:
>> On 22:53 Sun 21 May     , Ola Lundqvist wrote:
>> > Dear maintainer(s),
>> > 
>> > The Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of puppet:
>> > https://security-tracker.debian.org/tracker/CVE-2017-2295
>> > 
>> > Would you like to take care of this yourself?
>> > 
>> > If yes, please follow the workflow we have defined here:
>> > https://wiki.debian.org/LTS/Development
>> > 
>> > If that workflow is a burden to you, feel free to just prepare an
>> > updated source package and send it to debian-lts at lists.debian.org
>> > (via a debdiff, or with an URL pointing to the source package,
>> > or even with a pointer to your packaging repository), and the members
>> > of the LTS team will take care of the rest. Indicate clearly whether you
>> > have tested the updated package or not.
>> > 
>> > If you don't want to take care of this update, it's not a problem, we
>> > will do our best with your package. Just let us know whether you would
>> > like to review and/or test the updated package before it gets released.
>> 
>> Thanks for bringing the issue to our attention!
>> 
>> I'll address the issue soon for Sid/Stretch and Jessie, and will try to 
>> fix Wheezy as well. Unfortunately, it looks like the fix for wheezy 
>> might not be trivial; we need to check if the agent will still be able 
>> to send facts to the server, as PSON is not the default format in Puppet 
>> 2.7.
>
> So, from my understanding the version in Wheezy cannot be fixed: the 2.7 
> agents only use YAML to send out facts and upstream's fix is to simply 
> not accept anything other than PSON. Whitelisting YAML defeats the 
> purpose, as it's YAML's deserialization of untrusted data that leads to 
> remote code execution.

Are you sure of this? From what I can tell agents haven't been sending
YAML in a long time. If I understand things correctly, facts are sent in
a format defined by the `preferred_serialization_format`, which
currently (in wheezy) defaults to `pson`. It has been that way since
upstream 1a89455499 (2009-06-03) which seems to have been shipped in
puppet-0.24.5-rc4.

My assertion, at this point, is that clients send facts in PSON, not
YAML, and it's safe to disable other formats. This means, of course,
that *older* clients (!) will break, but I think that's a fair move to
do at this point.

I will work on a package update based on that assumption.

> Any ideas welcome here, but I seriously doubt there's much we can do to 
> be completely safe, other than encourage people to move to 3.7 from 
> wheezy-backports. Puppet 2.7 has been EOL for way too long anyway.

That's true. Unfortunately, porting from 2.7 to 3.7 is non-trivial,
especially for folks that have large manifest collections. So many of
our users are stuck there. We should try and support them as much as we
can.

A.

-- 
Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.            - Lucius Annaeus Seneca (65 AD)