Hi Eric, Will a CVE be issued for this?
Thanks, Trevor On Wed, Sep 30, 2015 at 12:47 AM, Eric Sorenson < [email protected]> wrote: > We've identified and are fixing a condition in puppet where the > auto-generated > CA private key is created with too-leinent permissions. We feel the > exposure is > pretty limited (it would require a local user account on the CA system, to > discover and copy/modify the CA key before additional puppet commands run) > but > will be releasing patched versions which do not have the problem. I wanted > to > post this publicly so users could evaluate their own site and remediate if > necessary, in advance of an upstream software release. > > You could be affected if: > - you used puppet server or puppet master to automatically generate a CA > keypair and certificate and have NEVER restarted the process > - you never subsequently ran a puppet agent, cert, or other subcommands > which use the certificate subsystem, on the host with the CA keypair. > > You will not be affected if: > - you run Puppet Enterprise to initialize your CA > - you have ever run 'puppet agent' or other 'puppet cert' commands as root > on the host with the keypair. > - you have ever restarted your puppet master/puppet server process. Ever. > Really. > > The immediate fix is to either: > - run `puppet agent` as root on the server which has the CA key > - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` > > A huge thank you/merci to Francois Lafont for reporting this issue. > > For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 > > Eric Sorenson - [email protected] - freenode #puppet: eric0 > puppet platform // coffee // techno // bicycles > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoXoQcfPx_K1dtX55zjTSmNJci97aQCWmkiqZXWVBr%2BL8A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
