Once more, with feeling, Welcome to another Release Candidate for Puppet Dashboard (number 9). This RC addresses security concerns announced/discovered in Rails over the last couple days.
This release is available for download at: http://downloads.puppetlabs.com/dashboard/ We have included Debian and RPM packages as well as a tarball. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 1.2rc9 http://projects.puppetlabs.com/projects/dashboard Documentation is available at: http://docs.puppetlabs.com/dashboard/index.html 1.2rc9 === The three commits are related to CVE's from Rails. We've back-ported the patches to our vendored version of Rails included in Dashboard 1.2. Detailed commit messages: commit 2e85b8d53337c96c34ceffc49f17a4fb13ee9fc3 Author: Jacob Helwig <[email protected]> Date: Fri Aug 19 11:34:20 2011 -0700 Apply security patch for XSS Vulnerability in the escaping function in Ruby on Rails From the security announcement: There is a vulnerability in the escaping code used by Ruby on Rails, using specially crafted malformed unicode strings an attacker can bypass the escaping code. This vulnerability has been assigned the CVE identifier CVE-YYYY-XXXX. Versions Affected: 2.0.0 and later running on Ruby 1.8.x. Not Affected: Applications running on Ruby 1.9.x Fixed Versions: 3.0.10, 2.3.13, 3.1.0.rc5 Impact ------ Ruby on Rails has provided a high performance replacement for ERB::Util.h since version 2.0.0. Due to a bug in the Ruby 1.8 Regular Expression code this replacement version will fail to escape certain malformed unicode strings. This malformed output will then be interpreted as HTML by some browsers on some operating systems. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The 3.0.10, 2.3.13 and v3.1.0.rc5 releases are available at the normal locations. Workarounds ----------- It is possible to construct a before_filter to reject requests which contain invalid parameters, this should only be considered a temporary solution though. private before_filter :reject_invalid_requests def reject_invalid_requests if include_invalid_utf8?(params) head :bad_request end end def include_invalid_utf8?(param) param.any? {|k, v| !validate(k, v)} end def validate(*vars) vars.all? do |var| case var when Hash var[:tempfile].respond_to?(:read) ? true : !include_invalid_char?(var) when Array validate(*var) else ActiveSupport::Multibyte.verify(var.to_s) end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-3-utf_8.patch - Patch for 2.3 series * 3-0-utf_8.patch - Patch for 3.0 series * 3-1-utf_8.patch - Patch for 3.0 series Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible. Credits ------- Thanks to Akira Matsuda and Falk Köppe for reporting the vulnerability to us and working with us to confirm a fix. commit d3bfcf594d9b147e5f9f8b941d454b656b74c382 Author: Jacob Helwig <[email protected]> Date: Fri Aug 19 11:28:29 2011 -0700 Apply security patch for XSS Vulnerability in strip_tags helper From the security announcement: There is a vulnerability in the strip_tags helper in Ruby On Rails, using specially crafted output an attacker can successfully inject HTML into the document. This vulnerability has been assigned the CVE identifier CVE-YYYY-XXXX. Versions Affected: All. Fixed Versions: 3.0.10, 2.3.13, 3.1.0.rc5 Impact ------ The strip_tags helper in Ruby on Rails is designed to remove all HTML tags from a string. By using specially crafted values an attacker can confuse the parser and cause HTML tags to be injected into the response. This can be exploited to inject arbitrary javascript into the rendered page. Future releases of Ruby on Rails are likely to replace the current HTML tokenizer with one provided by libxml to reduce the likelihood of errors such as these in the future. In the meantime users can install the loofah gem[1] which should enhance both the performance and reliability of the HTML sanitization helpers. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The 3.0.10, 2.3.13 and v3.1.0.rc5 releases are available at the normal locations. Workarounds ----------- Users running a release of rails prior to 3.0 can work around this issue by escaping the result of strip_tags. Replacing: <%= strip_tags(params[:user_content]) %> with <%=h strip_tags(params[:user_content]) %> Users running 3.0 or later will have to take an additional step to ensure that the output is correctly escaped. <%= strip_tags(params[:user_content]) %> must be replaced with <%=h strip_tags(params[:user_content]).to_str %> Users running a 2.3 application with the rails_xss plugin installed are advised to upgrade as there is no feasible workaround. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-3-strip_tags.patch - Patch for 2.3 series * 3-0-strip_tags.patch - Patch for 3.0 series * 3-1-strip_tags.patch - Patch for 3.1 series Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible. Credits ------- Thanks to Sascha Depold for reporting the vulnerability to us and working with us to verify the fix. [1] http://loofah.rubyforge.org/loofah/ commit 107f1016a219ecffd6745022527f17e6479b8219 Author: Jacob Helwig <[email protected]> Date: Fri Aug 19 10:59:39 2011 -0700 Apply security patch for SQL Injection Vulnerability in quote_table_name From the security announcement: There is a vulnerability in the quote_table_name method which could allow malicious users to inject arbitrary SQL into a query. This vulnerability has been assigned the CVE identifier CVE-YYYY-XXXX. Versions Affected: All. Fixed Versions: 3.0.10, 2.3.13, 3.1.0.rc5 Impact ------ The quote_table_name method in the ActiveRecord adapaters for Ruby on Rails were initially created solely for the purpose of escaping reserved words encountered in table names. However over time 3rd party libraries, and rails itself, grew to rely on those functions as a way to sanitize potentially malicious user input. As a result these functions need to be hardened to manage malicious input rather than assuming they're being passed benign values generated by rails itself. All users running an affected release should upgrade immediately. Releases -------- The 3.0.10, 2.3.13 and v3.1.0.rc5 releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-3-sql_injection.patch - Patch for 2.3 series * 3-0-sql_injection.patch - Patch for 3.0 series * 3-1-sql_injection.patch - Patch for 3.1 series Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible. 1.2 series ==== Highlights Include: * Moved to Apache 2.0 License * LOTS of UI improvements * Updated version of Rails * Now Requires Ruby 1.8.7 * Has Delayed Jobs (puppet-dashboard-workers) for async actions * Several performance improvements More Details === 0a73593 (#7934) Improve wording to filebucket error fa8d27c (#7934) Give a better error message when filebucket contents don't exist 7b742e9 (#7934) Don't link md5s for new content 735925f (#9032) Update Debian package to ensure VERSION is packaged 620de4e (#8251 and #8042) Don't use our own logger a2a97ab (#8796) Re-write misleading 500 error message 6b525b1 (#5845) Changed host to node in UI. 49cca0b Add document outlining preferred contribution methods 90f5ce0 (#8488) Move tfoot before tbody in reports table ee1f182 (#8488) Make columns consistent between report views e54ecb8 (#8790) Fix reports page column display and alignment 947dcee (#8748) Put sensible umask on pids and logs that delayed_job creates 4ef96b6 (#8785) Close a directory that we open 0bfbbf6 (#8785) - Revert "(#8748) Upgrade vendored daemons gem to fix umask on pids" 3f88c7f (#8748) Fix my forgetting to add a vendored gem 2f636a9 Allow setting of RUBY for the workers on redhat systems 651511c (#8748) Upgrade vendored daemons gem to fix umask on pids 3a65fd0 (#8694) Add backtrace info to DelayedJobFailure bf22939 Add document outlining preferred contribution methods 803be4f (#8745) Update gitignore to not exclude tmp during tarball creation 45338a (#8691) Fix the order of changed and unchanged resources on the report summary 7653800 Provide clearer error message when report host, kind and time are not unique e86526f (#8686) Handle concurrent DelayedJob workers importing for same node 88771ec (#8589) Report events are now ordered by name. 8bd0ffb (#8544) Make empty inspected resources "red". d036276 (#8505) Update the default date stringification. bb99ed9 Properly Quote RAILS_ROOT in get_app_version method 08717e1 (#8508) Add delayed job worker script for debian/ubuntu package 2eef4f4 (#8529) Remove unneeded a print statement from sass.rb af8b6e9 (#8500) Replace README with a smaller one dff2256 (#8499) Update the usage of mktemp in Rakefile to work on mac 3f0afca (#8484) "Nodes for this group" heading now appears correctly d389d8b (#7568) Relicense to Apache-2.0 License 57d0122 (#8276) Remove MaRuKu dependency a44d9ff (#8262) Show node groups even when node classification is disabled 3996b29 (#8262) Create callbacks for each section of node_classification partial 5dac13a (#8199) Move 'failed' resources to the top when viewing report events 2a3a73c (#7967) Improved user-facing design for delayed job warnings c78b85a (#8266) Back-end logic for splitting read and unread DJ failures. 15bba31 (#8121) Properly generate CSS from SASS in production. a9abf41 (#8101) Updated to new version of Tipsy plugin 9cb5e55 (Maint) More generalized tabbed interface fbe11aa (#8196) Adjust content width based on body classes. e756c25 (#8196) Add a body class describing sidebar state. 23cbef1 (#8196) Clean up body class manipulation. 3670e2b (#8146) Change default DASHBOARD_URL in external_node to localhost 81ec3c0 (#8090) Update .gitignore to ignore plugin files 6f117fc (#8022) Don't fail when installing plugin without `public` directory 07a9407 (#8022) Create a hook for plugins to add items to <head> in layout 64be352 (#7967) Add default value for read column of delayed_job_failures 240c548 (#7967) Infrastructure for displaying background failures. 8038cce (#7389) Don't auto-start DelayedJob workers. 933ae04 (#7389) Cheaper unique filenames for spooled reports. b4384eb (#7398) Support externally managed DelayedJob workers. 184e65b (#7689) Rake task to support parallel report POSTing. 2333c08 (#5947) Rename Destroy button to Delete 2fb0ac1 (#7976) Fixed static debug data in view 393970d (#7976) Node filter links in sidebar work in all cases 4ba3d23 (#7398) Configurable DelayedJob worker count. e839884 (#7938) Delayed import from file, not YAML string. d24c323 (#7973) Refactor colors for changed/unchanged 58c2b52 (#7398) Use DelayedJob for background processing. 6aefc60 (#7938) Add daemons gem to support DelayedJob 7395369 (#7398) Vendor DelayedJob for background tasks. 05040d9 (#7958) Allow plugins to add top level navigation c4d2f26 (#7597) Better integration of node summaries 4ad9cbc (#7913) Upgrade rspec and rspec-rails vendored gems c09b650 (#7913) Fix tap deprecation warning d88da0e (#7913) Update README to say we only support Ruby 1.8.7 acdc31f (#7913) upgrade will_paginate gem to avoid deprecation warnings e935b8d (#7913) vendor newer version of RDoc ce9be98 (#7913) Fix deprecation warning for config.load_paths dd8f277 (#7913) Upgrade vendored haml gem and vendor sass dd88d74 (#7913) vendor json_pure since it was an undocumented dependency 789c1b7 (#7913) Upgrading from Rails 2.3.4 to 2.3.12 060799f (#7597) Reformat node view CSV link 3726771 (#7280) Edit outdated information about the inventory service a02113a (#7597) Change empty tab display, report tab ordering, link expansion b62bf4c (#7597) Add count to pagination link, fix duplicate tags 9f06f58 (#7597) Display only relevant columns in node tables 96bb99c (#7597) Add "help" link to node summary. 95f870e (#6992) Add totals row for resource status counts to node view 44a145c (#7544) Group report resources by status c2e2c63 (#7840) Increase consistency of status definitions and remove old code dd5e610 (#7674) Add pending to the run status stacked bar graph a58d06d (#6992) Show a summary of nodes x resources on home page. 9d71cd2 (#7630) Denormalize ResourceStatus status and count calculations 6e03872 (#6528) Cleanup implementation of `::words`. 2b53c29 (#6528) Remove hideous Array monkeypatch. 0312ea2 (#7007) Stream node CSV download 87b3e91 (#7007) Add a link to the home page to download nodes in CSV 1af5e86 (#7007) Add support for CSV to nodes index 2829a8b (#7007) Add custom CSV output for nodes with resources 11aa643 (#7007) Use a custom property list for ResourceStatus.to_csv fc0fe85 (#7007) Add support for CSV output d2184e4 (#7537) Use #titleize for report tab names. 12b035d (#7537) Add reasonable defaults for report tab names. b230077 (#7560) Clean up the Dashboard index for 0 nodes. 6fe8513 (#6991) Add the Node Status summary graph. 8e70035 (#6991) Massage Node named scopes. 57d6b6b (#6991) Cleanup of excessively long lines. db61b1b (#6537) Add a pending scope to nodes 552c760 (#5126) Support HTTP basic auth in bin/external_node a85c681 (#6537) Add a pending scope to nodes cf1410a (#6988) rpm should include logrotate file 0ff2373 (#7209) Require naming convention for plugin migration files 8ff11be (#7161) Add a route to create node group memberships ec9e879 (#7161) Remove forgery protection 6c700c1 (#4816) Add a Node#find_by_id_or_name helper d540cc6 (#6989) Improve messages for empty tabs. b36bfb6 (#6989) Squash bugs in IE{7,8}. 16d6fad (#6989) Fix font rendering in Firefox. 0f2723b (#6989) Add basic styling for tabs. 31984aa (#6989) Remove a call to Registry.each_callback. 4d2f9c7 (#6989) Remove ugly <Proc instance>#name hack. b8f5a04 (#6989) Refactor user-facing names. 04153bc (#6989) Refactor Javascript into application.js cc43e61 (#6989) Add "tabs" for report sections. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
