Your message dated Thu, 11 May 2023 15:35:43 +0000
with message-id <[email protected]>
and subject line Bug#1035541: fixed in puppetserver 7.9.5-2
has caused the Debian Bug report #1035541,
regarding puppetserver: CVE-2023-1894
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1035541: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: puppetserver
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for puppetserver.
CVE-2023-1894[0]:
| A Regular Expression Denial of Service (ReDoS) issue was discovered in
| Puppet Server 7.9.2 certificate validation. An issue related to
| specifically crafted certificate names significantly slowed down
| server operations.
This was fixed in 7.11.0:
https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos
But given that in the freeze moving to a new release isn't possible and
looking at the repo I think we could just as well backport these
(the underlying PR is https://github.com/puppetlabs/puppetserver/pull/2700):
https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2
(7.11.0)
https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc
(7.11.0)
The bug report is https://tickets.puppetlabs.com/browse/PE-35786, but it's
not accessible (at least to me)
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: puppetserver
Source-Version: 7.9.5-2
Done: Jérôme Charaoui <[email protected]>
We believe that the bug you reported is fixed in the latest version of
puppetserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérôme Charaoui <[email protected]> (supplier of updated puppetserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 07 May 2023 11:09:17 -0400
Source: puppetserver
Architecture: source
Version: 7.9.5-2
Distribution: unstable
Urgency: medium
Maintainer: Puppet Package Maintainers
<[email protected]>
Changed-By: Jérôme Charaoui <[email protected]>
Closes: 1032241 1035541
Changes:
puppetserver (7.9.5-2) unstable; urgency=medium
.
* abort service start/reload if mainpid dies (Closes: #1032241)
* add patch fixing CVE-2023-1894 (Closes: #1035541)
Checksums-Sha1:
8395e6a8c73fbaa300054d994cdf56d9081edae9 3554 puppetserver_7.9.5-2.dsc
9786bdbcc4cdf2fc0c2c026cbf1d77e86456c3e1 24128
puppetserver_7.9.5-2.debian.tar.xz
747ea70d51d0827c9299f5b6e05745cce37f6fce 16069
puppetserver_7.9.5-2_amd64.buildinfo
Checksums-Sha256:
dd2641091737644d8bea0b5279ab956608610424c8305ad4a6c2e3f11c890eda 3554
puppetserver_7.9.5-2.dsc
52f61141850e5cb4156edf1492c48c37cc8f59225cf1c835ace0df001e782245 24128
puppetserver_7.9.5-2.debian.tar.xz
ad440ad03ed9fb866827d72ca4c4c662688bf84c76920c7a30c90cae1c2d5e53 16069
puppetserver_7.9.5-2_amd64.buildinfo
Files:
90266d43d542f5b4f6d2413897bf6a8c 3554 admin optional puppetserver_7.9.5-2.dsc
d8505ce65f7fd42cea76504496bc0681 24128 admin optional
puppetserver_7.9.5-2.debian.tar.xz
c62ef0b81730290241c0560e32b090c4 16069 admin optional
puppetserver_7.9.5-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQTAq04Rv2xblqv/eu5pxS9ljpiFQgUCZF0GWwAKCRBpxS9ljpiF
Qi9vAP9jcKiz8NyuxsQ+/RgBj9nFty+UzyN2dOaXJsaeJAbKsAD/WxmvEhJgiIel
YwgVb+XH/RUy38oV6zuGuwCedhYnRAI=
=KXHS
-----END PGP SIGNATURE-----
--- End Message ---
