A couple of updates: - Yes, a CVE will be issued.
- The remediation steps below are a little wonky, and my subject line is inaccurate. The same exposure happens for CA keys generated by running a webrick 'puppet master', or passenger-based packages, or by puppet server. By far the simplest thing is to make sure your privatekeydir ($ssldir/private_keys) and CA private keys ($ssldir/ca/ca_key.pem) are "chmod o-rwx" rather than running the 'puppet cert' or 'agent' commands as I said below. - In addition to the CA key being exposed, if you used puppetserver to generate your _host_ key on the CA, that key and the 'privatekeydir' directory will have too-lenient permissions. --eric0 On Tuesday, September 29, 2015 at 9:47:57 PM UTC-7, Eric Sorenson wrote: > > We've identified and are fixing a condition in puppet where the > auto-generated > CA private key is created with too-leinent permissions. We feel the > exposure is > pretty limited (it would require a local user account on the CA system, to > discover and copy/modify the CA key before additional puppet commands run) > but > will be releasing patched versions which do not have the problem. I wanted > to > post this publicly so users could evaluate their own site and remediate if > necessary, in advance of an upstream software release. > > You could be affected if: > - you used puppet server or puppet master to automatically generate a CA > keypair and certificate and have NEVER restarted the process > - you never subsequently ran a puppet agent, cert, or other subcommands > which use the certificate subsystem, on the host with the CA keypair. > > You will not be affected if: > - you run Puppet Enterprise to initialize your CA > - you have ever run 'puppet agent' or other 'puppet cert' commands as root > on the host with the keypair. > - you have ever restarted your puppet master/puppet server process. Ever. > Really. > > The immediate fix is to either: > - run `puppet agent` as root on the server which has the CA key > - as root, `chmod 660 $(puppet master --configprint cadir)/ca_key.pem` > > A huge thank you/merci to Francois Lafont for reporting this issue. > > For more details, see https://tickets.puppetlabs.com/browse/PUP-5274 > > Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0 > puppet platform // coffee // techno // bicycles > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/502f17b2-85ed-4a99-a56b-379f4f407402%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
