Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-puppet-de...@alioth-lists.debian.net
Control: affects -1 + src:puppetserver
I would like to request an unblock to upload puppetserver/7.9.5-2 which
fixes two bugs using targeted fixes.
- #1032241 puppetserver - service unit fails to realize the main
process died
- #1035541 puppetserver: CVE-2023-1894
[ Reason ]
The main reason is to fix the denial-of-service security issue prior to
the release. The second fix has been in the source repository's main
branch for some time, awaiting release.
[ Impact ]
Accepting this release should not have any impact beyond puppetserver
itself.
[ Tests ]
Build and autopkgtest are passing. The service unit fix has been applied
locally on my production system for several weeks.
[ Risks ]
There is a (low) risk that the patches introduce new bugs.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Thanks!
-- Jérômediff -Nru puppetserver-7.9.5/debian/changelog
puppetserver-7.9.5/debian/changelog
--- puppetserver-7.9.5/debian/changelog 2023-02-09 21:11:26.0 -0500
+++ puppetserver-7.9.5/debian/changelog 2023-05-07 11:09:17.0 -0400
@@ -1,3 +1,10 @@
+puppetserver (7.9.5-2) unstable; urgency=medium
+
+ * abort service start/reload if mainpid dies (Closes: #1032241)
+ * add patch fixing CVE-2023-1894 (Closes: #1035541)
+
+ -- Jérôme Charaoui Sun, 07 May 2023 11:09:17 -0400
+
puppetserver (7.9.5-1) unstable; urgency=medium
* New upstream version 7.9.5
diff -Nru
puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
--- puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
1969-12-31 19:00:00.0 -0500
+++ puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
2023-05-07 11:09:17.0 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?b?SsOpcsO0bWUgQ2hhcmFvdWk=?=
+Date: Sun, 7 May 2023 11:00:09 -0400
+Subject: Backport fix for CVE-2023-1894
+
+Forwarded: not-needed
+Bug: https://tickets.puppetlabs.com/browse/PE-35786
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541
+Origin:
+ commit,
https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc
+ backport,
https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2
+---
+ .../puppetserver/certificate_authority.clj | 33 +---
+ .../puppetserver/certificate_authority_test.clj| 36 ++
+ 2 files changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+index 46429f4..16ab834 100644
+--- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+@@ -787,6 +787,11 @@
+ (utils/subject-alt-names {:dns-name (conj default-alt-names host-name)}
false)
+ (utils/subject-alt-names (update alt-names-list :dns-name conj
host-name) false
+
++
++(def pattern-match-dot #"\.")
++(def pattern-starts-with-alphanumeric-or-underscore #"^[\p{Alnum}_].*")
++(def pattern-matches-alphanumeric-with-symbols-string
#"^[\p{Alnum}\-_]*[\p{Alnum}_]$")
++
+ (schema/defn validate-subject!
+ "Validate the CSR or certificate's subject name. The subject name must:
+ * match the hostname specified in the HTTP request (the `subject`
parameter)
+@@ -795,12 +800,16 @@
+ * not contain the wildcard character (*)"
+ [hostname :- schema/Str
+subject :- schema/Str]
++ (log/debug (i18n/trs "Checking \"{0}\" for validity" subject))
++
+ (when-not (= hostname subject)
++(log/infof "Rejecting subject \"%s\" because it doesn't match hostname
\"%s\"" subject hostname)
+ (sling/throw+
+ {:kind :hostname-mismatch
+- :msg (i18n/tru "Instance name \"{0}\" does not match requested key
\"{1}\"" subject hostname)}))
++ :msg (format "Instance name \"%s\" does not match requested key
\"%s\"" subject hostname)}))
+
+ (when (contains-uppercase? hostname)
++(log/info (i18n/tru "Rejecting subject \"{0}\" because all characters
must be lowercase" subject))
+ (sling/throw+
+ {:kind :invalid-subject-name
+:msg (i18n/tru "Certificate names must be lower case.")}))
+@@ -809,11 +818,25 @@
+ (sling/throw+
+ {:kind :invalid-subject-name
+:msg (i18n/tru "Subject contains a wildcard, which is not allowed:
{0}" subject)}))
+-
+- (when-not (re-matches
#"^([a-z0-9](?:(?:[a-z0-9\-_]*|(? ${RUNTIME_DIRECTORY}/restart"
ExecStart=/usr/bin/java $JAVA_ARGS \
-Djruby.lib=/usr/share/jruby/lib \
@@ -25,12 +29,11 @@
--bootstrap-config
