Running puppet 3.6.2 and disable_warnings = deprecations appears to make no difference to prohibiting the alert about environments.
On Tuesday, June 10, 2014 1:19:05 PM UTC-5, Moses Mendoza wrote: > > Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6 > series. This release addresses CVE-2014-3248 and CVE-2014-3250. > > ** CVE-2014-3248 ** > Arbitrary Code Execution with Required Social Engineering > An attacker could convince an administrator to unknowingly create and > execute malicious code on platforms with Ruby 1.9.1 and earlier. > CVSSv2 Score: 5.2 > Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C > > Affected Puppet versions (ruby 1.9.1 and earlier platforms only): > All > > Fixed Puppet versions: > 3.6.2 > 2.7.26* > > ** CVE-2014-3250 ** > Information Leakage Vulnerability > In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, > which defaults it to none and must be explicitly configured. This > setting enables checking of a certificate revocation list. The default > Puppet master vhost config shipped with Puppet does not include this > setting. If a Puppet master is set up to run with Apache 2.4, and this > default vhost configuration file is used, the Puppet master will > continue to honor a host's certificate even after it is revoked. > CVSSv2 Score: 3.1 > Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C > > Affected Puppet versions: > All (must be configured as a master behind Apache 2.4 using the > default puppet master vhost). > > Fixed Puppet versions: > 3.6.2 > > For more information on these vulnerabilities, please visit > https://puppetlabs.com/security/cve/cve-2014-3248 > https://puppetlabs.com/security/cve/cve-2014-3250 > > ## Bug Fixes > Chatty warning/deprecation messages can now be suppressed – as we near > the end of the 3.x series, there's going to be a slew of deprecations > coming which need to be visible so everyone knows what's going to > change, but some messages trigger tons of log spam, so now it's > possible to turn them off. > Directory environments under webrick now work; they no longer fail > with "Attempted to pop, but already at root of the context stack" > errors. > A memory leak in loading functions was fixed. > > Community shout-out for this release goes to Joshua Hoblitt for > testing the memory leak patch and providing awesome usage graphs > (PUP-2692). > > Please read through the Release Notes for the full list of changes: > http://docs.puppetlabs.com/puppet/latest/reference/release_notes.html > To install Puppet, follow the Installation > Guide:http://docs.puppetlabs.com/guides/install_puppet/pre_install.html > To report issues with the release, file a ticket in the “PUP” project > on https://tickets.puppetlabs.com/ and set the “Affects version/s” > field to "3.6.2”. > > * The Puppet 2.7.x series is officially end of life, but continues to > be maintained by community members. See the release announcement to > puppet-announce/puppet-users/puppet-dev regarding Puppet 2.7.26. > > -- > Moses Mendoza > Puppet Labs > > Join us at PuppetConf 2014, September 20-24 in San Francisco > Register by July 31st to take advantage of the Early Bird discount —save > $249! > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/bc01a5e8-cf30-4152-bbba-b0b50621b9f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
