Issue #4928 has been updated by Matt Robinson. Status changed from Investigating to Code Insufficient
Based on mailing list discussion, this patch would need some more logic to handle getting dmgs from sources that aren't the puppet master or don't use ssl, with a fallback to using default x.509 certs. Sandor mentioned possibly getting back to this after exams. ---------------------------------------- Feature #4928: SSL cert check for pkgdmg package provider https://projects.puppetlabs.com/issues/4928 Author: Sandor Szücs Status: Code Insufficient Priority: Normal Assignee: Nigel Kersten Category: OSX Target version: Affected Puppet version: Keywords: pkgdmg package provider ssl communitypatch Branch: The curl option -k is used in order to download a source file using the pkgdmg package provider. This can be attacked by men-in-the-middle. In order to defend from mitm you have to validate certs with curl. Puppet has :certdir and :localcert configuration that you can use with curl. The patch provided fix this issue. I have tested it with a patched 0.25.4 puppet installation on Mac OSX 10.6.4. 0.25.x, 2.6.x and development HEAD are effected to this, possibly versions <0.25 are effected, too. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
