I would think that a bug fix for #11143 should be in the next release. On Dec 5, 2011, at 2:47 PM, Matthaus Litteken wrote: > This release is a maintenance release candidate of the 2.6.x series of Puppet. > > This release is available for download at: > http://puppetlabs.com/downloads/puppet/puppet-2.6.13rc1.tar.gz > > See the Verifying Puppet Download section at: > http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet > > Please report feedback via the Puppet Labs Redmine site, using an > affected version of 2.6.13rc1 > http://projects.puppetlabs.com/projects/puppet/ > > 2.6.13rc1 Release Notes > === > Fix #10739 Provide default subjectAltNames while bootstrapping master > > Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set, > puppet would add default subjectAltNames to any non-CA cert it signed, > including agent certs. The subjectAltNames were of the form: > > DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain> > > The fix for #2848, prevented subjectAltNames from ever being > implicitly added at signing time. But during this change, the default > subjectAltNames behavior was accidentally removed. > > This commit restores the 'defaulting' behavior that existed > previously, but only when bootstrapping the initial master. > Additionally, default subjectAltNames are only ever added when > generating the master's certificate signing request, not at signing > time. This is important, because it ensures all subjectAltNames > originate from the CSR and are subject to our internal signing policy. > > The code now requires that all of the following be true in order to > add default subjectAltNames to the CSR: > > 1. We are a CA and master > 2. We're signing the master's cert, not self-signing the CA > 3. The CSR is for the current host > 4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names] > 5. The master can resolve its fqdn > > These should only ever be true when bootstrapping the initial > master. In particular, it should never be true for the CA's > self-signed cert, for remote agents, or for servers that are either > masters or CAs, but not both. > > The fqdn requirement existed previously, and so the same behavior has > been restored. > > Note if Puppet[:dns_alt_names] are specified when bootstrapping the > master, then we do not merge the default options -- it's either one of > the other, but not both. > > Fix #10289 Add an ext script to upload facts to inventory server > > This script, ext/upload_facts, will read facts from the master's yaml > dir and save them to the facts terminus. The intended use of this is > when the facts terminus is set to inventory_service, to be run > periodically via cron to ensure facts are uploaded even if the > inventory_service becomes temporarily unavailable. It supports a > --minutes option, which will limit the facts uploaded to only those > added in the last n minutes. > > #10289 (continued) Add a safe alternative to REST for inventory service > > With the default implementation of the inventory service, with a > terminus REST and cache YAML, a failed upload to the inventory service > would cause compilation to fail. This means the inventory service was a > single point of failure for the entire Puppet infrastructure. Now, we > introduce an inventory_service terminus which can be used in place of > the REST terminus, and will absorb failures, allowing compilation to > continue. > > > > 2.6.13rc1 Changelog Highlights > === > * e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master > * 9dfd011 (#5617) Puppet queue logging > * aa2a762 (#10289) Add an ext script to upload facts to inventory server > * 5129d38 (#10289) Add a safe alternative to REST for inventory service > * 397a506 (#10244) Restore Mongrel XMLRPC functionality > * bb224dd (#8770) Don't fail to set supplementary groups when changing > user to root > * 2a0de12 (#8770) Always fully drop privileges when changing user > * d7c9c76 (#8740) Do not enumerate files in the root directory. > * fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match > * 89c021c (#8418) Fix inspect app to have the correct run_mode > * b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum > * 111a4b5 (#6857) Password disclosure when changing a user's password > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >
-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
