Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
puppet
puppet-3.8.5-CVE-2020-7942.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File puppet-3.8.5-CVE-2020-7942.patch of Package puppet
SUSE notes ---------- We partially used the upstream patch (below) but we didn't change the default value of strict_hostname_checking variable to 'true' due to potential disruption of customer's infrastructure. We also added a comment in the configuration file puppet.conf to highlight the issue. Upstream commit (altered) ------------------------ From df826baa0ed1f3ebb182798aa6e04a9e8f35fd80 Mon Sep 17 00:00:00 2001 From: Justin Stoller <justin.stoller@gmail.com> Date: Tue, 11 Feb 2020 11:59:59 -0800 Subject: [PATCH] (PUP-10238) Change default value of strict_hostname_checking to true --- Index: puppet-3.8.5/lib/puppet/defaults.rb =================================================================== --- puppet-3.8.5.orig/lib/puppet/defaults.rb +++ puppet-3.8.5/lib/puppet/defaults.rb @@ -1138,13 +1138,23 @@ EOT to make requests on. Both applications use this setting to get the port.", }, :node_name => { - :default => "cert", + :default => 'cert', + :type => :enum, + :values => ['cert', 'facter'], + :deprecated => :completely, + :hook => proc { |val| + if val != 'cert' + Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.") + end + }, :desc => "How the puppet master determines the client's identity and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest, in particular for determining which 'node' statement applies to the client. Possible values are 'cert' (use the subject's CN in the client's certificate) and 'facter' (use the hostname that the client - reported in its facts)", + reported in its facts). + + This setting is deprecated, please use explicit fact matching for classification.", }, :bucketdir => { :default => "$vardir/bucket", @@ -1275,9 +1285,18 @@ EOT }, :strict_hostname_checking => { :default => false, + :type => :boolean, :desc => "Whether to only search for the complete - hostname as it is in the certificate when searching for node information - in the catalogs.", + hostname as it is in the certificate when searching for node information + in the catalogs or to match dot delimited segments of the cert's certname + and the hostname, fqdn, and/or domain facts. + + This setting is deprecated and will be removed in a future release.", + :hook => proc { |val| + if val != true + Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).") + end + } } ) Index: puppet-3.8.5/ext/redhat/puppet.conf =================================================================== --- puppet-3.8.5.orig/ext/redhat/puppet.conf +++ puppet-3.8.5/ext/redhat/puppet.conf @@ -11,6 +11,17 @@ # The default value is '$confdir/ssl'. ssldir = $vardir/ssl + # Whether to only search for the complete hostname as it is in the + # certificate when searching for node information in the catalogs. + # + # Setting strict_hostname_checking to false is deprecated and will be + # removed in a future release. Please use regular expressions in your node + # declarations or explicit fact matching for classification (though be + # warned that fact based classification may be considered insecure). + # + # See also: https://puppet.com/security/cve/CVE-2020-7942/ + #strict_hostname_checking = true + [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor