[Pkg-puppet-devel] puppet packages ready for testing

Antoine Beaupré anarcat at orangeseeds.org
Tue Jun 27 17:38:32 UTC 2017 

Hi,

Considering the [discussion][1] surrounding the possibility of
backporting the upstream patch for [CVE-2017-2295][2], I have made
Puppet packages available for testing at the [usual location][3]
(debdiff attached).

 [1]: https://lists.debian.org/20170524095154.5ooj6inyeg643xas@marvin.dmesg.gr
 [2]: https://security-tracker.debian.org/tracker/CVE-2017-2295
 [3]: https://people.debian.org/~anarcat/debian/wheezy-lts/

Those can be fetched and verified with:

    dget https://people.debian.org/~anarcat/debian/wheezy-lts/puppet_2.7.23-1~deb7u4_amd64.changes

The packages above update *both* the master and the clients, and *both*
need to be updated for infrastructure to keep on working: with the
proposed changes, the puppetmaster will refused unpatched 2.7 clients
since they send YAML instead of PSON facts. The packages include a patch
for clients to flip them to PSON as well. Clients running 3.2.3 or later
should send the proper serialization format. Rationale for this change
is explained in this [email][4].

 [4]: https://lists.debian.org/87mv8te5jv.fsf@curie.anarc.at

I have tried to see if the test suite passes, but unfortunately, it was
already failing in wheezy-security *before* I applied the upstream
patches:

524 tests, 1717 assertions, 2 failures, 768 errors, 0 skips

The good news is that the number of failures remains the same after the
patch is applied, so there are no catastrophic failures.

A friendly organisation (Koumbit.org, ex-employer) was nice enough to
let me test the puppetmaster packages on their servers, and it seems the
change didn't break anything on their side, as long as clients are also
upgraded. Out of dates client will see the following error while
fetching the catalog:

    err: Could not retrieve catalog from remote server: Error 400 on SERVER: Unsupported facts format: b64_zlib_yaml

Considering the severity of this issue and how long it's been stalled, I
plan on uploading this by the end of the week unless someone objects.

A.

-- 
Men often become what they believe themselves to be. If I believe I
cannot do something, it makes me incapable of doing it. But when I
believe I can, then I acquire the ability to do it even if I didn't
have it in the beginning.
                         - Mahatma Gandhi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: puppet_2.7.23-1~deb7u4.debdiff
Type: text/x-diff
Size: 6530 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20170627/6c52a633/attachment.diff>

More information about the Pkg-puppet-devel mailing list