Issue #15561 has been updated by Jeff McCune. Status changed from In Topic Branch Pending Review to Accepted Assignee deleted (Dustin Mitchell)
Here's the update I posted to the pull request: <blockquote> @daniel-pittman Thank you for the update, this saves some duplicate effort. @battlemidget I'm going to go ahead and close this pull request and update the corresponding issue [#15561](https://projects.puppetlabs.com/issues/15561). This isn't to say that we won't fix this issue or that we don't consider 15561 a valid and accepted bug. We do and we will. I'm closing this with this update in an effort to get this out of limbo and make it clear that 15561 is more about fixing the core issue in the certificate indirections than it is about changing the regular expression for the CN. On a side note, I'm really sorry this issue has sat dormant for so long. I really you appreciate taking the time to speak up and ping us about the issues that are affecting you. Hope this helps. -Jeff </blockquote> ---------------------------------------- Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-74053 Author: Dustin Mitchell Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 2.7.x Affected Puppet version: 2.7.18 Keywords: certificate Branch: https://github.com/puppetlabs/puppet/pull/1101 The fix for CVE-2012-3867 involves checking certificate subjects for "weird" characters. From my read of the CVE entry, this is to filter out characters that would cause the name to display in a manner visually indistinguishable from a valid hostname. However, the check is too restrictive: Could not retrieve catalog from remote server: Certname "puppetagain base ca/[email protected]/ou=release engineering/o=mozilla, inc." must not contain unprintable or non-ASCII characters In particular, / is a very common character in subjects, and should be allowed. Puppet is seeing this subject on my base CA - I'm using certificate chaining. The fix is one character, so I haven't included a patch, but I'm happy to make a pull req if necessary. Another fix would be to only verify certificate subjects for the leaf certificate, and not any of the certs in its signing chain, but that seems less secure. It's also worth noting that the regex is overly broad, since it downcases the string, then accepts A-Z among other characters. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
