As you probably know, the OpenSSL project recently announced a serious security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160[1]), currently referred to as "Heartbleed"[2]. This vulnerability allows unauthorized users access to private data such as encrypted traffic and the secret keys used to identify servers.
The security of Puppet infrastructure depends on OpenSSL being secure, so there are steps you must take to ensure your Puppet infrastructure is secure. Puppet Labs has not shipped a vulnerable version of OpenSSL in Puppet or Puppet Enterprise. In many cases, however, Puppet and Puppet Enterprise rely on versions of OpenSSL shipped as part of an operating system. **Many organizations will need to regenerate their Puppet-related Certificate Authority and all Puppet-related SSL certificates in their public key infrastructure.** You may also need to update OpenSSL as vendors release updates to address this vulnerability. We have released step-by-step documentation for remediating the vulnerability on our docs site. You can find direct links to the relevant docs in this blog post: Heartbleed Security Bug: Update for Puppet Users http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users We encourage you to review the remediation actions as soon as possible. Of course, we'll continue to stay on top of developments, and update you here on the mailing list. [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 [2] http://heartbleed.com Thanks, and sorry if your day has been as tough as ours. --eric0 Eric Sorenson - [email protected] - freenode #puppet: eric0 puppet platform // coffee // techno // bicycles -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8650A4B5-0B16-46AB-9FF4-CED6CE714A83%40puppetlabs.com. For more options, visit https://groups.google.com/d/optout.
