Issue #9617 has been updated by James Turnbull. Category set to file Status changed from Unreviewed to Needs Decision Assignee set to Nigel Kersten Priority changed from High to Normal
---------------------------------------- Bug #9617: Puppet uses insecure file checksums https://projects.puppetlabs.com/issues/9617 Author: Dump Dump Status: Needs Decision Priority: Normal Assignee: Nigel Kersten Category: file Target version: Affected Puppet version: Keywords: md5 checksum security Branch: Puppet uses MD5 for file checksums. It is possible for an attacker to modify a file contents to it's liking, while padding for example, with a large comment, for the md5 to match the original checksum. While an administrator would suspect that after an attack, Puppet would replace all the files it's told to fix, it won't. While Puppet should not be used as a security device, it touches security. In a proper environment where attackers are sandboxed and cannot touch puppet, but can touch other files, it makes sense for puppet to be able to create secure checksums. Likewise, in an environment where you need to quickly fix a file to close a security hole, but you know some systems are compromised, this helps as you can't expect a reinstall of hundred or thousand of systems overnight. The proposal is to add SHA512 as a checksum option. See patch for a sample (it's missing tests, etc) An additional option can be to perform both md5 and sha (and/or others) checksums -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
