Ubuntu
puppet package

No security release provided in Lucid for CVE-2013-3567

Bug #1192367 reported by Alex Vandiver
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Lucid's version of puppet is listed as "ignored (reached end-of-life)" on the CVE tracking page for CVE-2013-3567 [1]. However, Ubuntu Lucid has not reached end-of-life for the server release -- indeed, `apt-cache show puppet` shows "Supported: 5y". The Ubuntu wiki[2] states that Ubuntu Server LTS supports "security updates and select bug fixes (5 years) -- This is defined as the union of the server-ship and supported-server seeds." Checking the seed file[3], I find that puppet is indeed listed in the server-ship seed.

On IRC, I was pointed to ~ubuntu-security/ubuntu-cve-tracker/lucid-supported.txt as the master list of supported packages. How is this list generated, if not as documented under Ubuntu's support policies? I also note that the header line in that file is misleading or incorrect, and should probably read "...are unsupported starting May 9, 2013" if that is the intent.

Regardless, either the Lucid release of puppet should gain a security release for CVE-2013-3567, or Ubuntu should update their documentation in numerous places as to what packages are considered "supported" as part of Lucid server LTS.

[1] http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-3567.html
[2] https://wiki.ubuntu.com/SeedManagement#Maintenance_Period
[3] http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.lucid/server-ship.seed
[4] http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/lucid-supported.txt

CVE References

Revision history for this message
Robie Basak (racb) wrote :

Thank you for your report. I've asked a member of the security team to clarify.

summary: - No security release provided for CVE-2013-3567
+ No security release provided in Lucid for CVE-2013-3567
information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks, we've fixed the date at the top of the file.

That file is the authoritative list of packages supported by the security team, and contains the list the packages we deemed able to support for 5 years instead of the base 3 years.

The puppet version in Lucid is ancient, is no longer supported by upstream, and is substantially different from the puppet patches provided for later versions. Even if it was on the list, we wouldn't be able to update it since the recent security fixes have rewritten large parts of code.

If migrating to a later LTS release isn't possible, I suggest perhaps using the upstream packages available from Puppet Labs.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'll also investigate if we can get the puppet version from Precise into lucid-backports.

Revision history for this message
Alex Vandiver (alexmv) wrote : Re: [Bug 1192367] Re: No security release provided in Lucid for CVE-2013-3567

On Wed, 2013-06-19 at 11:55 +0000, Marc Deslauriers wrote:
> That file is the authoritative list of packages supported by the
> security team, and contains the list the packages we deemed able to
> support for 5 years instead of the base 3 years.

Understood, and not unreasonable. However, I did not find this clear in
the support announcements, or the documentation -- and I expect I am not
alone in this expectation. Did I misunderstand the "Supported" property
listed in dpkg and the "Maintenance Period" documentation from the wiki?
What can I do to help clarify the documentation of this limited security
support? Alternately, can you point me towards where this policy is
already documented?

As a follow-up question: in Precise, the server and desktop editions
both receive support for 5 years. Does this mean that Precise will
support all packages for 5 years, or is there a similarly limited set of
packages for which support will be provided?

> The puppet version in Lucid is ancient, is no longer supported by
> upstream, and is substantially different from the puppet patches
> provided for later versions. Even if it was on the list, we wouldn't be
> able to update it since the recent security fixes have rewritten large
> parts of code.
>
> If migrating to a later LTS release isn't possible, I suggest perhaps
> using the upstream packages available from Puppet Labs.

It's scheduled for next month, but that was based on the assumption that
security patches were still being supplied for all of the installed
software. It is notably complicated by the property that configuration
files from Puppet 0.25 (from Lucid) and 2.7 (from Precise) are neither
forward- nor backward- compatible, and thus requires coordinating the
upgrade across the puppetmaster server as well as all client machines
simultaneously.

> I'll also investigate if we can get the puppet version from
> Precise into lucid-backports.

Perhaps useful to others, but we plan on simply upgrading to a later
LTS, so not necessary for our site.

 - Alex

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

On 13-06-20 01:58 PM, Alex Vandiver wrote:
> On Wed, 2013-06-19 at 11:55 +0000, Marc Deslauriers wrote:
>> That file is the authoritative list of packages supported by the
>> security team, and contains the list the packages we deemed able to
>> support for 5 years instead of the base 3 years.
>
> Understood, and not unreasonable. However, I did not find this clear in
> the support announcements, or the documentation -- and I expect I am not
> alone in this expectation. Did I misunderstand the "Supported" property
> listed in dpkg and the "Maintenance Period" documentation from the wiki?
> What can I do to help clarify the documentation of this limited security
> support? Alternately, can you point me towards where this policy is
> already documented?

Yes, we realized that the exact list wasn't very exposed in locations
where people would look. I've now added it to the Lucid release manifest
wiki page, which is linked from the releases wiki page:

https://wiki.ubuntu.com/LucidLynx/ReleaseManifest

Unfortunately, the "Supported" property doesn't work well for releases
that have different desktop and server support periods. We're working on
a more complete database that will allow us to detail what packages are
supported, and by who. Thankfully, more recent releases have a
consistent support period.

>
> As a follow-up question: in Precise, the server and desktop editions
> both receive support for 5 years. Does this mean that Precise will
> support all packages for 5 years, or is there a similarly limited set of
> packages for which support will be provided?

Everything in the "main" component will be supported by the security
team for 5 years.

Marc.

Revision history for this message
Alex Vandiver (alexmv) wrote :

On Thu, 2013-06-20 at 18:13 +0000, Marc Deslauriers wrote:
> Yes, we realized that the exact list wasn't very exposed in locations
> where people would look. I've now added it to the Lucid release manifest
> wiki page, which is linked from the releases wiki page:
>
> https://wiki.ubuntu.com/LucidLynx/ReleaseManifest

Given the below, it might be worth noting that that link only applies to
Lucid server LTS; since, going forward for Precise and later, LTS means
"main" for 5 years. While it's not the

> Unfortunately, the "Supported" property doesn't work well for releases
> that have different desktop and server support periods. We're working on
> a more complete database that will allow us to detail what packages are
> supported, and by who. Thankfully, more recent releases have a
> consistent support period.

Right, which is why I asked the follow-up question. It's not worth
belaboring the point overly if it's only relevant for Lucid.
 - Alex

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Since there is no actionable item, I am marking this bug as "Won't fix."
Thanks.

information type: Public Security → Public
Changed in puppet (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.