subject:"\[Puppet Users\] \[ask\] Upgrade for CVE\-2011\-3872 AltNames Vulnerability"

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

2011-10-26 Thread Peter Meier

Is it ok if i just upgrade puppetmaster to 2.6.12 and still using  
old puppet.conf with certdnsnames?


The certdnsnames have been abandonned in favor of a new option:  
http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames


And if your current client certificates contain a master  
altSubjectName, you need to rollout a new (from the ground up) CA.  
Otherwise you're still subject to a possible attack with old certs.


The notes released by puppetlabs are quite detailed about that:  
http://puppetlabs.com/security/cve/cve-2011-3872/


Unfortunately, if you are affected, this issue is *not* fixed by  
simply updating a package.


~pete

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

2011-10-25 Thread heriyanto


Thank for your reply Nigel,
my host is about hundreds.
Is it ok if i just upgrade puppetmaster to 2.6.12 and still using old 
puppet.conf with certdnsnames?

if is work well, after that i upgrade all my agent.
Thank you for any reply.

On 10/25/2011 11:12 PM, Nigel Kersten wrote:



On Mon, Oct 24, 2011 at 8:28 PM, heriyanto > wrote:


Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
my plan upgrade puppet master first then the agent, whether the
configuration I can still be used?
if use version 2.6.12 as a puppet master and agent still 2.6.6 for
temporary then after that i upgrade to 2.6.12 for the agent?
because my configuration already complex, and also using certdnsnames.
Or anybody have good plan for upgrading? i can't recreate CA
because i have much hosts.


Upgrading the master is the important part, not the agents, but you 
should ultimately do them as well anyway.


How many hosts do you have? If you can cluster SSH commands to them 
you can follow the SSH recipe for migrating them to a new CA.


https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown

or if you can cope with a webrick master, we have a recipe there that 
will work for 2.6.x and 2.7.x webrick puppet masters.


https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick

If you have some other setup, you may be able to fork that module and 
modify it to work with your deployment.




Best regards,
Heriyanto

-- 
You received this message because you are subscribed to the Google

Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@ googlegroups.com
.
For more options, visit this group at http://groups.google.com/
group/puppet-users?hl=en
.




--
Nigel Kersten
Product Manager, Puppet Labs


--
You received this message because you are subscribed to the Google 
Groups "Puppet Users" group.

To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

2011-10-25 Thread Nigel Kersten

On Mon, Oct 24, 2011 at 8:28 PM, heriyanto wrote:

> Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
> my plan upgrade puppet master first then the agent, whether the
> configuration I can still be used?
> if use version 2.6.12 as a puppet master and agent still 2.6.6 for
> temporary then after that i upgrade to 2.6.12 for the agent?
> because my configuration already complex, and also using certdnsnames.
> Or anybody have good plan for upgrading? i can't recreate CA because i have
> much hosts.
>

Upgrading the master is the important part, not the agents, but you should
ultimately do them as well anyway.

How many hosts do you have? If you can cluster SSH commands to them you can
follow the SSH recipe for migrating them to a new CA.

https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown

or if you can cope with a webrick master, we have a recipe there that will
work for 2.6.x and 2.7.x webrick puppet masters.

https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick

If you have some other setup, you may be able to fork that module and modify
it to work with your deployment.




>
> Best regards,
> Heriyanto
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/puppet-users?hl=en
> .
>
>


-- 
Nigel Kersten
Product Manager, Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

2011-10-24 Thread heriyanto


Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
my plan upgrade puppet master first then the agent, whether the 
configuration I can still be used?
if use version 2.6.12 as a puppet master and agent still 2.6.6 for 
temporary then after that i upgrade to 2.6.12 for the agent?

because my configuration already complex, and also using certdnsnames.
Or anybody have good plan for upgrading? i can't recreate CA because i 
have much hosts.


Best regards,
Heriyanto

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

[Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

4 matches

Site Navigation

Mail list logo

Footer information