On Wed, Sep 30, 2015 at 6:34 AM, Trevor Vaughan <tvaug...@onyxpoint.com> wrote:
> Hi Eric, > > Will a CVE be issued for this? > Yes > > Thanks, > > Trevor > > On Wed, Sep 30, 2015 at 12:47 AM, Eric Sorenson < > eric.soren...@puppetlabs.com> wrote: > >> We've identified and are fixing a condition in puppet where the >> auto-generated >> CA private key is created with too-leinent permissions. We feel the >> exposure is >> pretty limited (it would require a local user account on the CA system, to >> discover and copy/modify the CA key before additional puppet commands >> run) but >> will be releasing patched versions which do not have the problem. I >> wanted to >> post this publicly so users could evaluate their own site and remediate if >> necessary, in advance of an upstream software release. >> >> You could be affected if: >> - you used puppet server or puppet master to automatically generate a CA >> keypair and certificate and have NEVER restarted the process >> - you never subsequently ran a puppet agent, cert, or other subcommands >> which use the certificate subsystem, on the host with the CA keypair. >> >> You will not be affected if: >> - you run Puppet Enterprise to initialize your CA >> - you have ever run 'puppet agent' or other 'puppet cert' commands as >> root on the host with the keypair. >> - you have ever restarted your puppet master/puppet server process. Ever. >> Really. >> >> The immediate fix is to either: >> - run `puppet agent` as root on the server which has the CA key >> - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` >> >> A huge thank you/merci to Francois Lafont for reporting this issue. >> >> For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 >> >> Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 >> puppet platform // coffee // techno // bicycles >> > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > > -- This account not approved for unencrypted proprietary information -- > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CANs%2BFoXoQcfPx_K1dtX55zjTSmNJci97aQCWmkiqZXWVBr%2BL8A%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CANs%2BFoXoQcfPx_K1dtX55zjTSmNJci97aQCWmkiqZXWVBr%2BL8A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMto7LLi%3D0ePUrDb4jFvvWaJVspieGRiBGWFVwkZuBDTnp-gPw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
