2011-09-28 07:10:01 |
Dave Walker |
bug |
|
|
added bug |
2011-09-28 07:12:31 |
Dave Walker |
nominated for series |
|
Ubuntu Hardy |
|
2011-09-28 07:12:31 |
Dave Walker |
bug task added |
|
puppet (Ubuntu Hardy) |
|
2011-09-28 07:12:31 |
Dave Walker |
nominated for series |
|
Ubuntu Lucid |
|
2011-09-28 07:12:31 |
Dave Walker |
bug task added |
|
puppet (Ubuntu Lucid) |
|
2011-09-28 07:12:31 |
Dave Walker |
nominated for series |
|
Ubuntu Maverick |
|
2011-09-28 07:12:31 |
Dave Walker |
bug task added |
|
puppet (Ubuntu Maverick) |
|
2011-09-28 07:12:31 |
Dave Walker |
nominated for series |
|
Ubuntu Oneiric |
|
2011-09-28 07:12:31 |
Dave Walker |
bug task added |
|
puppet (Ubuntu Oneiric) |
|
2011-09-28 07:12:31 |
Dave Walker |
nominated for series |
|
Ubuntu Natty |
|
2011-09-28 07:12:31 |
Dave Walker |
bug task added |
|
puppet (Ubuntu Natty) |
|
2011-09-28 07:13:07 |
Dave Walker |
bug |
|
|
added subscriber Marc Cluet |
2011-09-28 12:59:24 |
Jamie Strandboge |
puppet (Ubuntu Lucid): status |
New |
In Progress |
|
2011-09-28 12:59:25 |
Jamie Strandboge |
puppet (Ubuntu Lucid): importance |
Undecided |
High |
|
2011-09-28 12:59:26 |
Jamie Strandboge |
puppet (Ubuntu Lucid): assignee |
|
Jamie Strandboge (jdstrand) |
|
2011-09-28 12:59:27 |
Jamie Strandboge |
puppet (Ubuntu Maverick): status |
New |
In Progress |
|
2011-09-28 12:59:27 |
Jamie Strandboge |
puppet (Ubuntu Maverick): importance |
Undecided |
High |
|
2011-09-28 12:59:28 |
Jamie Strandboge |
puppet (Ubuntu Maverick): assignee |
|
Jamie Strandboge (jdstrand) |
|
2011-09-28 12:59:28 |
Jamie Strandboge |
puppet (Ubuntu Natty): status |
New |
In Progress |
|
2011-09-28 12:59:28 |
Jamie Strandboge |
puppet (Ubuntu Natty): importance |
Undecided |
High |
|
2011-09-28 12:59:29 |
Jamie Strandboge |
puppet (Ubuntu Natty): assignee |
|
Jamie Strandboge (jdstrand) |
|
2011-09-28 12:59:29 |
Jamie Strandboge |
puppet (Ubuntu Oneiric): status |
New |
In Progress |
|
2011-09-28 12:59:30 |
Jamie Strandboge |
puppet (Ubuntu Oneiric): importance |
Undecided |
High |
|
2011-09-28 12:59:31 |
Jamie Strandboge |
puppet (Ubuntu Oneiric): assignee |
|
Jamie Strandboge (jdstrand) |
|
2011-09-28 12:59:31 |
Jamie Strandboge |
puppet (Ubuntu Hardy): status |
New |
In Progress |
|
2011-09-28 12:59:32 |
Jamie Strandboge |
puppet (Ubuntu Hardy): importance |
Undecided |
High |
|
2011-09-28 12:59:32 |
Jamie Strandboge |
puppet (Ubuntu Hardy): assignee |
|
Jamie Strandboge (jdstrand) |
|
2011-09-28 13:00:52 |
Jamie Strandboge |
puppet (Ubuntu Oneiric): milestone |
|
ubuntu-11.10 |
|
2011-09-28 13:24:52 |
Marc Cluet |
bug |
|
|
added subscriber Michael Stahnke |
2011-09-28 13:43:19 |
Jamie Strandboge |
puppet (Ubuntu Hardy): status |
In Progress |
Incomplete |
|
2011-09-28 13:43:19 |
Jamie Strandboge |
puppet (Ubuntu Hardy): assignee |
Jamie Strandboge (jdstrand) |
|
|
2011-09-28 13:44:04 |
Jamie Strandboge |
puppet (Ubuntu Hardy): importance |
High |
Undecided |
|
2011-09-28 14:06:35 |
Jamie Strandboge |
puppet (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
2011-09-28 14:06:36 |
Jamie Strandboge |
puppet (Ubuntu Maverick): status |
In Progress |
Fix Committed |
|
2011-09-28 14:06:36 |
Jamie Strandboge |
puppet (Ubuntu Natty): status |
In Progress |
Fix Committed |
|
2011-09-28 14:06:37 |
Jamie Strandboge |
puppet (Ubuntu Oneiric): status |
In Progress |
Fix Committed |
|
2011-09-28 14:08:22 |
Jamie Strandboge |
attachment added |
|
puppet_2.7.1-1ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2474616/+files/puppet_2.7.1-1ubuntu2.debdiff |
|
2011-09-28 14:08:45 |
Jamie Strandboge |
attachment added |
|
puppet_2.6.4-2ubuntu2.1.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2474617/+files/puppet_2.6.4-2ubuntu2.1.debdiff |
|
2011-09-28 14:09:08 |
Jamie Strandboge |
attachment added |
|
puppet_2.6.1-0ubuntu2.1.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2474618/+files/puppet_2.6.1-0ubuntu2.1.debdiff |
|
2011-09-28 14:09:28 |
Jamie Strandboge |
attachment added |
|
puppet_0.25.4-2ubuntu6.2.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2474619/+files/puppet_0.25.4-2ubuntu6.2.debdiff |
|
2011-09-28 19:05:14 |
Jamie Strandboge |
puppet (Ubuntu Hardy): status |
Incomplete |
Confirmed |
|
2011-09-28 19:05:18 |
Jamie Strandboge |
puppet (Ubuntu Hardy): importance |
Undecided |
High |
|
2011-09-28 19:08:23 |
Jamie Strandboge |
attachment removed |
puppet_2.6.4-2ubuntu2.1.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2474617/+files/puppet_2.6.4-2ubuntu2.1.debdiff |
|
|
2011-09-28 19:09:23 |
Jamie Strandboge |
attachment added |
|
puppet_2.6.4-2ubuntu2.2.debdiff https://bugs.launchpad.net/ubuntu/hardy/+source/puppet/+bug/861182/+attachment/2476064/+files/puppet_2.6.4-2ubuntu2.2.debdiff |
|
2011-09-29 02:03:50 |
Launchpad Janitor |
puppet (Ubuntu Oneiric): status |
Fix Committed |
Fix Released |
|
2011-09-29 02:03:50 |
Launchpad Janitor |
cve linked |
|
2011-3848 |
|
2011-09-29 02:03:50 |
Launchpad Janitor |
puppet (Ubuntu Natty): status |
Fix Committed |
Fix Released |
|
2011-09-29 02:03:50 |
Launchpad Janitor |
puppet (Ubuntu Maverick): status |
Fix Committed |
Fix Released |
|
2011-09-29 02:03:50 |
Launchpad Janitor |
puppet (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
2011-09-29 02:16:22 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-security/puppet |
|
2011-09-29 02:16:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/natty-security/puppet |
|
2011-09-29 02:16:27 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/puppet |
|
2011-09-29 02:16:28 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/puppet |
|
2011-09-29 17:13:00 |
Jamie Strandboge |
bug |
|
|
added subscriber LaMont Jones |
2011-09-29 17:14:02 |
Jamie Strandboge |
description |
From: Michael Stahnke <REDACTED
Subject: High severity vulnerability found in Puppet (CVE-2011-3848) [not yet public]
Date: 27 September 2011 20:29:25 EDT
To: <REDACTED>
There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.
The CVE and issue have not been made public yet. We appreciate
your discretion at this time.
# Explanation #
Kristian Erik Hermansen <kristian.hermansen@gmail.com> reported that
an unauthenticated directory traversal could drop any valid X.509
Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application. This was found in the
2.7 series of Puppet, but the underlying vulnerability existed in
earlier releases and could be accessed with different hostile inputs.
There are also some additional quirks of input handling that make it
easier to obfuscate the input.
To exploit on 2.7 a valid CSR is sent as a PUT request:
""" $ curl -k -X PUT -H "Content-Type: text/plain" --data-binary
@data
https://puppetmaster:8140/production/certificate_request/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Ftmp%252Fpoison
"""
This exploits an input quirk where the "key" in the URI is
double-decoded; this would also work for a single URI-encoded input
string.
On 2.6 this is ignored, but the CN in the Subject of the CSR is used
in the same way, and could be exploited to drop the CSR content at an
arbitrary location on disk. The suffix ".pem" is always appended to
the location.
In the 0.25 series the same CN-based injection can occur, as the
underlying flaw still exists.
In all cases this requires that the input data can be loaded through
OpenSSL as a CSR, and will fail before touching disk if that is not
valid data.
Be aware that both double-encoded and single-encoded URI patterns will
work, equivalently, in Puppet 2.7. No URI decoding is done on the CN
of the CSR Subject.
# Commit message for fix #
I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.
Author: Daniel Pittman <daniel@puppetlabs.comDate: Sat Sep
24 12:44:20 2011 -0700
Resist directory traversal attacks through indirections.
In various versions of Puppet it was possible to cause a directory
traversal attack through the SSLFile indirection base class.
This was variously triggered through the user-supplied key, or
the Subject of the certificate, in the code.
Now, we detect bad patterns down in the base class for our
indirections, and fail hard on them. This reduces the attack
surface with as little disruption to the overall codebase as
possible, making it suitable to deploy as part of older, stable
versions of Puppet.
In the long term we will also address this higher up the stack,
to prevent these problems from reoccurring, but for now this
will suffice.
Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com>
for the responsible disclosure, and useful analysis, around
this defect.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
# Plan #
Puppet Labs is currently rebuilding tarballs and packages of Puppet.
This will result in the following new source packages:
* Puppet 2.6.10
* Puppet 2.7.4 ( this is in an RC series now,
and will go final with the attached patch merged in)
* 2.6.10 and 2.7.4 will be available on downloads.puppetlabs.com/puppet as
soon as possible. Likely sometime before 28 Sep at 08:00 UTC.
* Puppet Labs will also push to rubygems.org for those using gems.
* Everything in Puppet Enterprise will be updated and packaged
by Puppet Labs this includes PE 1.0, 1.1 and 1.2
# Action #
We (Puppet Labs) obviously would like everybody to be as protected
from attacks as possible. We have not disclosed this issue publicly
yet. We will like do so sometime on 28 Sep, but it could be on 29
Sep if you're UTC or greater.
We will announce the issue, as well as download locations for fixes
on our puppet-users, puppet-announce, puppet-dev and pe-users mailing
lists. At that time we will also get back in contact with cve.mitre.org
to have them update the CVE.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
# Note for 0.25 users #
If you're still shipping/using 0.25, we have included a patch that
applies cleanly to our git tree, but will not be releasing any
upstream source of it.
If you have any questions or need additional clarification on
anything, please respond to security@puppetlabs.com.
Thanks, Michael Stahnke
Release Manager -- Puppet Labs |
IMPORTANT: THIS BUG SHOULD REMAIN PRIVATE SINCE IT DISCLOSES HOW TO EXPLOIT THE VULNERABILITY
From: Michael Stahnke <REDACTED
Subject: High severity vulnerability found in Puppet (CVE-2011-3848) [not yet public]
Date: 27 September 2011 20:29:25 EDT
To: <REDACTED>
There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.
The CVE and issue have not been made public yet. We appreciate
your discretion at this time.
# Explanation #
Kristian Erik Hermansen <kristian.hermansen@gmail.com> reported that
an unauthenticated directory traversal could drop any valid X.509
Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application. This was found in the
2.7 series of Puppet, but the underlying vulnerability existed in
earlier releases and could be accessed with different hostile inputs.
There are also some additional quirks of input handling that make it
easier to obfuscate the input.
To exploit on 2.7 a valid CSR is sent as a PUT request:
""" $ curl -k -X PUT -H "Content-Type: text/plain" --data-binary
@data
https://puppetmaster:8140/production/certificate_request/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Ftmp%252Fpoison
"""
This exploits an input quirk where the "key" in the URI is
double-decoded; this would also work for a single URI-encoded input
string.
On 2.6 this is ignored, but the CN in the Subject of the CSR is used
in the same way, and could be exploited to drop the CSR content at an
arbitrary location on disk. The suffix ".pem" is always appended to
the location.
In the 0.25 series the same CN-based injection can occur, as the
underlying flaw still exists.
In all cases this requires that the input data can be loaded through
OpenSSL as a CSR, and will fail before touching disk if that is not
valid data.
Be aware that both double-encoded and single-encoded URI patterns will
work, equivalently, in Puppet 2.7. No URI decoding is done on the CN
of the CSR Subject.
# Commit message for fix #
I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.
Author: Daniel Pittman <daniel@puppetlabs.comDate: Sat Sep
24 12:44:20 2011 -0700
Resist directory traversal attacks through indirections.
In various versions of Puppet it was possible to cause a directory
traversal attack through the SSLFile indirection base class.
This was variously triggered through the user-supplied key, or
the Subject of the certificate, in the code.
Now, we detect bad patterns down in the base class for our
indirections, and fail hard on them. This reduces the attack
surface with as little disruption to the overall codebase as
possible, making it suitable to deploy as part of older, stable
versions of Puppet.
In the long term we will also address this higher up the stack,
to prevent these problems from reoccurring, but for now this
will suffice.
Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com>
for the responsible disclosure, and useful analysis, around
this defect.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
# Plan #
Puppet Labs is currently rebuilding tarballs and packages of Puppet.
This will result in the following new source packages:
* Puppet 2.6.10
* Puppet 2.7.4 ( this is in an RC series now,
and will go final with the attached patch merged in)
* 2.6.10 and 2.7.4 will be available on downloads.puppetlabs.com/puppet as
soon as possible. Likely sometime before 28 Sep at 08:00 UTC.
* Puppet Labs will also push to rubygems.org for those using gems.
* Everything in Puppet Enterprise will be updated and packaged
by Puppet Labs this includes PE 1.0, 1.1 and 1.2
# Action #
We (Puppet Labs) obviously would like everybody to be as protected
from attacks as possible. We have not disclosed this issue publicly
yet. We will like do so sometime on 28 Sep, but it could be on 29
Sep if you're UTC or greater.
We will announce the issue, as well as download locations for fixes
on our puppet-users, puppet-announce, puppet-dev and pe-users mailing
lists. At that time we will also get back in contact with cve.mitre.org
to have them update the CVE.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
# Note for 0.25 users #
If you're still shipping/using 0.25, we have included a patch that
applies cleanly to our git tree, but will not be releasing any
upstream source of it.
If you have any questions or need additional clarification on
anything, please respond to security@puppetlabs.com.
Thanks, Michael Stahnke
Release Manager -- Puppet Labs |
|
2011-10-05 19:59:42 |
Jamie Strandboge |
visibility |
private |
public |
|
2011-10-05 19:59:47 |
Jamie Strandboge |
puppet (Ubuntu Hardy): status |
Confirmed |
Fix Committed |
|
2011-10-05 20:18:31 |
Jamie Strandboge |
tags |
|
security-verification |
|
2011-10-05 20:22:31 |
Jamie Strandboge |
tags |
security-verification |
verification-needed |
|
2011-10-05 20:22:44 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2011-10-05 20:23:01 |
Jamie Strandboge |
bug |
|
|
added subscriber SRU Verification |
2011-10-05 20:23:47 |
Jamie Strandboge |
description |
IMPORTANT: THIS BUG SHOULD REMAIN PRIVATE SINCE IT DISCLOSES HOW TO EXPLOIT THE VULNERABILITY
From: Michael Stahnke <REDACTED
Subject: High severity vulnerability found in Puppet (CVE-2011-3848) [not yet public]
Date: 27 September 2011 20:29:25 EDT
To: <REDACTED>
There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.
The CVE and issue have not been made public yet. We appreciate
your discretion at this time.
# Explanation #
Kristian Erik Hermansen <kristian.hermansen@gmail.com> reported that
an unauthenticated directory traversal could drop any valid X.509
Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application. This was found in the
2.7 series of Puppet, but the underlying vulnerability existed in
earlier releases and could be accessed with different hostile inputs.
There are also some additional quirks of input handling that make it
easier to obfuscate the input.
To exploit on 2.7 a valid CSR is sent as a PUT request:
""" $ curl -k -X PUT -H "Content-Type: text/plain" --data-binary
@data
https://puppetmaster:8140/production/certificate_request/%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Ftmp%252Fpoison
"""
This exploits an input quirk where the "key" in the URI is
double-decoded; this would also work for a single URI-encoded input
string.
On 2.6 this is ignored, but the CN in the Subject of the CSR is used
in the same way, and could be exploited to drop the CSR content at an
arbitrary location on disk. The suffix ".pem" is always appended to
the location.
In the 0.25 series the same CN-based injection can occur, as the
underlying flaw still exists.
In all cases this requires that the input data can be loaded through
OpenSSL as a CSR, and will fail before touching disk if that is not
valid data.
Be aware that both double-encoded and single-encoded URI patterns will
work, equivalently, in Puppet 2.7. No URI decoding is done on the CN
of the CSR Subject.
# Commit message for fix #
I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.
Author: Daniel Pittman <daniel@puppetlabs.comDate: Sat Sep
24 12:44:20 2011 -0700
Resist directory traversal attacks through indirections.
In various versions of Puppet it was possible to cause a directory
traversal attack through the SSLFile indirection base class.
This was variously triggered through the user-supplied key, or
the Subject of the certificate, in the code.
Now, we detect bad patterns down in the base class for our
indirections, and fail hard on them. This reduces the attack
surface with as little disruption to the overall codebase as
possible, making it suitable to deploy as part of older, stable
versions of Puppet.
In the long term we will also address this higher up the stack,
to prevent these problems from reoccurring, but for now this
will suffice.
Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com>
for the responsible disclosure, and useful analysis, around
this defect.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>
# Plan #
Puppet Labs is currently rebuilding tarballs and packages of Puppet.
This will result in the following new source packages:
* Puppet 2.6.10
* Puppet 2.7.4 ( this is in an RC series now,
and will go final with the attached patch merged in)
* 2.6.10 and 2.7.4 will be available on downloads.puppetlabs.com/puppet as
soon as possible. Likely sometime before 28 Sep at 08:00 UTC.
* Puppet Labs will also push to rubygems.org for those using gems.
* Everything in Puppet Enterprise will be updated and packaged
by Puppet Labs this includes PE 1.0, 1.1 and 1.2
# Action #
We (Puppet Labs) obviously would like everybody to be as protected
from attacks as possible. We have not disclosed this issue publicly
yet. We will like do so sometime on 28 Sep, but it could be on 29
Sep if you're UTC or greater.
We will announce the issue, as well as download locations for fixes
on our puppet-users, puppet-announce, puppet-dev and pe-users mailing
lists. At that time we will also get back in contact with cve.mitre.org
to have them update the CVE.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
# Note for 0.25 users #
If you're still shipping/using 0.25, we have included a patch that
applies cleanly to our git tree, but will not be releasing any
upstream source of it.
If you have any questions or need additional clarification on
anything, please respond to security@puppetlabs.com.
Thanks, Michael Stahnke
Release Manager -- Puppet Labs |
There has been a critical vulnerability discovered in Puppet
(CVE-2011-3848). Puppet Labs is currently working with distribution
maintainers, as well as key customers to ensure we are able to patch
this vulnerability before it is exploited.
# Commit message for fix #
I have included patches for the 0.25.x, 2.6.x, and 2.7.x branches.
Author: Daniel Pittman <daniel@puppetlabs.comDate: Sat Sep
24 12:44:20 2011 -0700
Resist directory traversal attacks through indirections.
In various versions of Puppet it was possible to cause a directory
traversal attack through the SSLFile indirection base class.
This was variously triggered through the user-supplied key, or
the Subject of the certificate, in the code.
Now, we detect bad patterns down in the base class for our
indirections, and fail hard on them. This reduces the attack
surface with as little disruption to the overall codebase as
possible, making it suitable to deploy as part of older, stable
versions of Puppet.
In the long term we will also address this higher up the stack,
to prevent these problems from reoccurring, but for now this
will suffice.
Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com>
for the responsible disclosure, and useful analysis, around
this defect.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com> |
|
2011-10-05 20:32:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/hardy-proposed/puppet |
|
2012-04-23 22:29:54 |
Jamie Strandboge |
bug |
|
|
added subscriber Jamie Strandboge |
2012-04-23 22:29:56 |
Jamie Strandboge |
removed subscriber Ubuntu Security Team |
|
|
|
2013-01-31 17:43:05 |
Brian Murray |
tags |
verification-needed |
removal-candidate verification-needed |
|
2013-03-08 16:49:26 |
Brian Murray |
puppet (Ubuntu Hardy): status |
Fix Committed |
Triaged |
|
2013-03-08 17:23:23 |
Brian Murray |
tags |
removal-candidate verification-needed |
removal-candidate |
|
2013-03-08 17:23:24 |
Brian Murray |
tags |
removal-candidate |
|
|
2013-11-12 17:33:18 |
Jamie Strandboge |
puppet (Ubuntu Hardy): status |
Triaged |
Won't Fix |
|