Running puppet 3.6.2 and disable_warnings = deprecations appears to make no difference to prohibiting the alert about environments.
On Tuesday, June 10, 2014 1:19:05 PM UTC-5, Moses Mendoza wrote: > > Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6 > series. This release addresses CVE-2014-3248 and CVE-2014-3250. > > ** CVE-2014-3248 ** > Arbitrary Code Execution with Required Social Engineering > An attacker could convince an administrator to unknowingly create and > execute malicious code on platforms with Ruby 1.9.1 and earlier. > CVSSv2 Score: 5.2 > Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C > > Affected Puppet versions (ruby 1.9.1 and earlier platforms only): > All > > Fixed Puppet versions: > 3.6.2 > 2.7.26* > > ** CVE-2014-3250 ** > Information Leakage Vulnerability > In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, > which defaults it to none and must be explicitly configured. This > setting enables checking of a certificate revocation list. The default > Puppet master vhost config shipped with Puppet does not include this > setting. If a Puppet master is set up to run with Apache 2.4, and this > default vhost configuration file is used, the Puppet master will > continue to honor a host's certificate even after it is revoked. > CVSSv2 Score: 3.1 > Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C > > Affected Puppet versions: > All (must be configured as a master behind Apache 2.4 using the > default puppet master vhost). > > Fixed Puppet versions: > 3.6.2 > > For more information on these vulnerabilities, please visit > https://puppetlabs.com/security/cve/cve-2014-3248 > https://puppetlabs.com/security/cve/cve-2014-3250 > > ## Bug Fixes > Chatty warning/deprecation messages can now be suppressed – as we near > the end of the 3.x series, there's going to be a slew of deprecations > coming which need to be visible so everyone knows what's going to > change, but some messages trigger tons of log spam, so now it's > possible to turn them off. > Directory environments under webrick now work; they no longer fail > with "Attempted to pop, but already at root of the context stack" > errors. > A memory leak in loading functions was fixed. > > Community shout-out for this release goes to Joshua Hoblitt for > testing the memory leak patch and providing awesome usage graphs > (PUP-2692). > > Please read through the Release Notes for the full list of changes: > http://docs.puppetlabs.com/puppet/latest/reference/release_notes.html > To install Puppet, follow the Installation > Guide:http://docs.puppetlabs.com/guides/install_puppet/pre_install.html > To report issues with the release, file a ticket in the “PUP” project > on https://tickets.puppetlabs.com/ and set the “Affects version/s” > field to "3.6.2”. > > * The Puppet 2.7.x series is officially end of life, but continues to > be maintained by community members. See the release announcement to > puppet-announce/puppet-users/puppet-dev regarding Puppet 2.7.26. > > -- > Moses Mendoza > Puppet Labs > > Join us at PuppetConf 2014, September 20-24 in San Francisco > Register by July 31st to take advantage of the Early Bird discount —save > $249! > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/bc01a5e8-cf30-4152-bbba-b0b50621b9f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
