Fix for CVE-2012-3867 (puppet) is too restrictive - TLS certificates now break
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Quantal |
Won't Fix
|
High
|
Unassigned | ||
Raring |
Won't Fix
|
High
|
Unassigned |
Bug Description
1. Description of the problem:
On 12.04, for package 'puppet', the fix (contained in version 2.7.11-1ubuntu2.1) for CVE-2012-3867 [1] involves validating TLS certificate CSR field (Common Name) for “weird” characters. However, the check is too restrictive and is causing negotiation failure with legitimately-
===
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Certname "/c=mlkambi root certificate authority" must not contain unprintable or non-ASCII characters
Exiting; failed to retrieve certificate and waitforcert is disabled
===
Here, puppet is choking on the '/' and maybe the '=' character.
The issue has been confirmed in an upstream bug [2].
[1]: http://
[2]: http://
2. Ubuntu release, software version, Release Number and Architecture of the selected components.
Ubuntu 12.04
puppet-
amd64
3. How reproducible is the problem?
100%
5. Known Workaround:
downgrade to puppet-
CVE References
Changed in puppet (Ubuntu): | |
milestone: | ubuntu-12.04.2 → none |
Marking Triaged, from the upstream bug report, it appears the fix is non-trivial, so while I hope we can fix this in precise, it may not be so simple.