Fix for CVE-2012-3867 (puppet) is too restrictive - TLS certificates now break

Marking Triaged, from the upstream bug report, it appears the fix is non-trivial, so while I hope we can fix this in precise, it may not be so simple.

Looks like upstream has a pending release to fix this issue positive testing results from community.

Yes, we're planning to release the fix for this issue in Puppet 3.2 which will hopefully go out as RC1 at the end of this week.

I'm not sure how difficult the backport to 2.7 will be, but we did so a slight refactor after fixing the issue, so it is non-trivial at this point. If you have any questions or concerns please let me know, I'm getting all the updates on this issue directly to my inbox.

-Jeff

Jeff,

I've been searching through the documentation on puppet labs wiki but I am unable to find a tentative release date for 3.2.0. Do you have that information and if the date is set do you mind sharing that with me?

Thank you,
Adam

On Fri, May 10, 2013 at 11:51 AM, Adam Stokes <email address hidden>wrote:

> Jeff,
>
> I've been searching through the documentation on puppet labs wiki but I
> am unable to find a tentative release date for 3.2.0. Do you have that
> information and if the date is set do you mind sharing that with me.
>

The best place to see the list of work targeted at Puppet 3.2.0 is at:
http://projects.puppetlabs.com/projects/puppet/roadmap#3.2.0

We released 3.2.0rc2 this week. If there are no new issues reported ande
introduced by the release of RC2 then we'll release Puppet 3.2.0
approximately 7 days after the release of RC2. As far as I know we haven't
had any reported RC introduced issues, so there's a pretty good chance
we'll release Puppet 3.2.0 sometime during the week of 13 May (next week).

Unfortunately I can't give a specific date, nor is this information I'm
providing authoritative. Eric Sorenson will make the final decision to cut
the release, but we're looking pretty good for next week.

Please keep an eye on the puppet-announce mailing list, which is one of the
places the release announcement will be published.

Hope this helps,
-Jeff

Jeff,

Thanks for the quick response. I'll make sure to monitor the mailing list.

Thanks again,
Adam

3.2.1 is out, once it makes it way into Debian and then Ubuntu archive I'll work on getting a possible backport accepted for Precise, Quantal and Raring.

Thanks
Adam

Puppet 3.2.2 is in Saucy now. Will see how feasible it is to just do a full backport into Precise.

I've started the backport process here: https://bugs.launchpad.net/precise-backports/+bug/1194901

If anyone is interested in testing out the packages on either Precise, Quantal, or Raring and provide feedback on that backport request it would be greatly appreciated! This will also help speed up the backport approval process.

Thank you
Adam

FWIW I don't think you should rely solely on backports for this; if a bug was introduced in -security then it should be fixed through the same channel.

Agreed, however, from previous discussions with the maintainers I was under the impression this wouldn't be a trivial fix for 2.7.x.

Jeff,

Could you comment on that?

Thanks
Adam

I see that the backport request for Precise, Quantal, and Raring has been rejected. Where do we stand with this bug?

> Could you comment on that?

It's not a trivial fix for 2.7.x. Sorry for the late reply.

-Jeff

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

Fixed in Puppet 3.2.0

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release