Your message dated Thu, 09 Feb 2017 11:03:51 +0000
with message-id <e1cbmvz-0003yl...@fasolo.debian.org>
and subject line Bug#854487: fixed in puppet 4.8.2-2
has caused the Debian Bug report #854487,
regarding puppet: puppet agent service enabled and running by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
854487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: puppet
Severity: critical
Tags: security
Justification: Potentially opens up a new security hole
Hi!
In the old days, users wanting the puppet binaries but not the puppet
daemon would install the puppet-common but not the puppet package [0].
This changed when puppet 4.5 was uploaded to Debian, now the puppet
package contained the binaries and the puppet-agent package contained
the service [1]. This transition was done properly, as the new service
packages would not be installed by default.
However, now somebody decided, that it's a good idea to drop the
puppet-agent package and move the service file back to the puppet
package [1]. This is bad, very, very bad. Here's why:
1. As of today, there is no apparently no package shipping only the
binaries but not the service files.
2. I have quite a few systems where I occasionally run puppet manually,
but which should never run puppet automatically.
3. Those systems began to look for a puppet master at the default
server address "puppet" recently as the new package version got
installed.
4. As a result, anybody with control over DNS could have responded and
potentially taken over those systems.
Please understand that your change made my and potentially other
people's system vulnerable without even telling them about it. I urge
you strongly to revert this change!
Best regards
Alexander Kurtz
[0] https://packages.debian.org/source/jessie/puppet
[1] https://tracker.debian.org/news/771535
[2] https://tracker.debian.org/news/833773
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: puppet
Source-Version: 4.8.2-2
We believe that the bug you reported is fixed in the latest version of
puppet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated puppet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 08 Feb 2017 15:24:55 +0200
Source: puppet
Binary: puppet puppet-master puppetmaster puppet-master-passenger
puppetmaster-passenger puppet-common
Architecture: source all
Version: 4.8.2-2
Distribution: unstable
Urgency: high
Maintainer: Puppet Package Maintainers
<pkg-puppet-de...@lists.alioth.debian.org>
Changed-By: Apollon Oikonomopoulos <apoi...@debian.org>
Description:
puppet - configuration management system
puppet-common - transitional dummy package
puppet-master - configuration management system, master service
puppet-master-passenger - configuration management system, scalable master
service
puppetmaster - configuration management system, master service - transitional
pa
puppetmaster-passenger - configuration management system, scalable master
service - transi
Closes: 854487
Changes:
puppet (4.8.2-2) unstable; urgency=high
.
* Do not enable the puppet service by default on fresh installs
(Closes: #854487).
+ Preserve the agent lock on upgrade from 3.x to safeguard upgrades from
Jessie systems where puppet was installed but never used.
* Update the DEP-8 tests to check that the service is disabled.
* Strip the agent locking logic from puppet.preinst now that we disable the
service by default.
* Add a debian/NEWS entry documenting the disabled service.
* Update the information in README.Debian and remove the (now obsolete)
paragraph about stored configs.
Checksums-Sha1:
6e9a9fddba21106e0fe27435a533c0a9c45c1dfe 2495 puppet_4.8.2-2.dsc
2f9ddc5454a5d8e6d2678073396cdcfeb4992f95 32844 puppet_4.8.2-2.debian.tar.xz
61e6ec69bea28609643bca102e1eef6decbafc38 22860 puppet-common_4.8.2-2_all.deb
a9b4dc46eb17f6a4e6d58626ea9e66e595d0a582 26720
puppet-master-passenger_4.8.2-2_all.deb
0751a01131825bfc9c1d90cc63af7013a23b9a1d 25632 puppet-master_4.8.2-2_all.deb
4d5767d0740bd150c35a3719234b66d3565ddc3e 1122090 puppet_4.8.2-2_all.deb
6340d5dbc020977262caedbbe84de9f250d7ef65 7166 puppet_4.8.2-2_amd64.buildinfo
460833340792420c1ec797cf828adf6160c0fde2 22406
puppetmaster-passenger_4.8.2-2_all.deb
fc8cc24c637006e10fecbe5a0fe3073cc0ea1184 22586 puppetmaster_4.8.2-2_all.deb
Checksums-Sha256:
8cdde4d2a31b10539e67752bdeb3ccb6714dda17f123b5a2bba8ee793f3932af 2495
puppet_4.8.2-2.dsc
667a6c42616c3da61b6e4f3f4200c0e65257009b829da03398d62269caca2723 32844
puppet_4.8.2-2.debian.tar.xz
c246a2e9d441952ff4e9d753419873e94a22297541a85b0c0e9cce1f710d3b34 22860
puppet-common_4.8.2-2_all.deb
d660996a45ad434e1cf847b9c55396085c09e10602395c68ee313553b12a92d2 26720
puppet-master-passenger_4.8.2-2_all.deb
558e2ec7eec1b3f910aaf6afd375975dd28a126c934662a033809e955dfb82a2 25632
puppet-master_4.8.2-2_all.deb
022e75e9427192dffdfaeb090bcba5de37cc8c9aee3ec3516c022498ef243567 1122090
puppet_4.8.2-2_all.deb
a9fd6e11bd16d3ab9222595189515cfe68b881fbaf3c4562dfef7e626ce85f3a 7166
puppet_4.8.2-2_amd64.buildinfo
d472e5a20e794313bd1a45b818eff354b7ed09332fc611e72ec20460751bf8c3 22406
puppetmaster-passenger_4.8.2-2_all.deb
cffce6225097d784c5ec04fa4b086fef5c90cc6553b0706d8bfa17d01830a4cc 22586
puppetmaster_4.8.2-2_all.deb
Files:
203259cb84de27ac4910a682c36c0818 2495 admin optional puppet_4.8.2-2.dsc
9c72236ca3a77cc8f8d7865ac584dfde 32844 admin optional
puppet_4.8.2-2.debian.tar.xz
696c25d58457e00ea722f977d93587a2 22860 oldlibs extra
puppet-common_4.8.2-2_all.deb
cc4c074cce45e56cdcac0acca4c44a11 26720 admin optional
puppet-master-passenger_4.8.2-2_all.deb
46c6249a977d80bf3b558c6605c7555c 25632 admin optional
puppet-master_4.8.2-2_all.deb
ff6e8460271bf8f80d4e7622aaf1edc4 1122090 admin optional puppet_4.8.2-2_all.deb
c51ca53734f5b99e15f4711b7e0e0e72 7166 admin optional
puppet_4.8.2-2_amd64.buildinfo
379441df6f9153ceb6a9726321e7ee43 22406 oldlibs extra
puppetmaster-passenger_4.8.2-2_all.deb
47fe61bb29af471bb3ef5174d6c66275 22586 oldlibs extra
puppetmaster_4.8.2-2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlicRfMACgkQ9RsYxyAk
giR5dg//bZXjVDpadWYidS7Ch5ZnXZvTkNhpwfWiIuC8F0rRN+c/vlaNSHeM3glY
yScdcLCDQAR0YnzkpFrlVwaBsLDG0+5tB1CJLrNBi6LJkGLYxkiEbsCjDxV6NnDb
mzOW9bAoMbklp7RXuf6RX7hzq3tYJGSjmHNSgWGxgEwv9TuKROSH1fjb5FQmA1Za
pNRqpP4rCl2a7voY4nlB3hLJLCMoHn5R7bEmvSv+694G102+dDz6yhZ4DOJ05wMo
8TvvVB1hcB5SwWnTMTAOi4oLcRMjlZVJtAlDE9UY+D5fueUWScRYdI2Dbq0qROFQ
LiG3c0+ks6tmbzvBDo6/w9Qq26/k6vEkWsc54Sxkn0Ugwlm+ACZPdhaNNc7ATXs6
kryv2V5ojrXO+Iez5UVchPvBPjHZrZEry3778gMLYbONdJbQqULa0C0TmvixnL8z
lhhCPDvuVa2aC4wwTj43ToPQK1f7Nlwf4FlZUmjAjTNBy6Ub6XNCqxLWLbiiQfg1
cwRisQkxEm56EUpS99NxiD1aYW0ab9I4ezeHZmyirREqGisaVL0I1kEkZkb7atxb
/xPUOLN7Lnae+N8TcGff03qEUuGirGAwjcedIfDkqXsjwzbWYqaMs+KJlXxFyJxN
P/v/N5sHPDqDL+WpYc1rtHUNOjOH4cm6MeQmLaJMHu3DGuR8wwo=
=cwLR
-----END PGP SIGNATURE-----
--- End Message ---
