[Pkg-puppet-devel] Bug#1035541: puppetserver: CVE-2023-1894
Moritz Mühlenhoff
jmm at inutil.org
Fri May 5 08:47:54 BST 2023
Source: puppetserver
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for puppetserver.
CVE-2023-1894[0]:
| A Regular Expression Denial of Service (ReDoS) issue was discovered in
| Puppet Server 7.9.2 certificate validation. An issue related to
| specifically crafted certificate names significantly slowed down
| server operations.
This was fixed in 7.11.0:
https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos
But given that in the freeze moving to a new release isn't possible and
looking at the repo I think we could just as well backport these
(the underlying PR is https://github.com/puppetlabs/puppetserver/pull/2700):
https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2 (7.11.0)
https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc (7.11.0)
The bug report is https://tickets.puppetlabs.com/browse/PE-35786, but it's
not accessible (at least to me)
Cheers,
Moritz
More information about the Pkg-puppet-devel
mailing list