[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Matthaus Owens. Released in Puppet 3.2.0-rc1 Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-89540 * Author: Dustin Mitchell * Status: Closed * Priority: Urgent *

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Acceptance tests that cover Dustin's use case with Apache + Passenger have been committed to master in 8762b7a. Thanks for trying out the pre-release RPM's. We're hoping to get an RC of Puppet 3.2 released in the next few weeks. -Jeff -

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Ben Jones. The patched version works for our use case (inhouse chained CA). Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-87894 * Author: Dustin Mitchell * Statu

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Dustin Mitchell wrote: > I tested again with my shell script > (https://gist.github.com/djmitche/5233972) and it worked just fine, so +1 > from me :) Excellent! I also took your shell script and made it into an automated acceptance test, so hope

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. For the record (and since Jeff McCune and I talked about this), I can also verify that Puppet minds the extendedKeyUsage fields of a certificate. This means that certs for masters can be signed with extendedKeyUsage = serverAuth, and agents wi

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. I tested again with my shell script (https://gist.github.com/djmitche/5233972) and it worked just fine, so +1 from me :) Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.c

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. OK, the docs should be updated to indicate that limitation, then (and it's not so bad to work around with `ssl_client_ca_auth`). Jason, do you mind opening a new Redmine ticket for that documentation change? If you can also make a pull reque

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. On Sun, Mar 31, 2013 at 10:48 AM, wrote: > Issue #15561 has been updated by Dustin Mitchell. > > > @Jeff, how do you think validation of such HTTPS servers should be handled? > Is there a specific reason you need the server certificate signed by

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. OK, then I think that's either a misconfiguration (not including the namecheap CA cert in the puppet configuration, although if that's required it should be documented) or a different bug (puppet uses its internal list of CAs rather than the d

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jason Hancock. It doesn't work in 2.7.x because I believe submitting reports to an SSL enabled reporturl wasn't supported until Puppet 3.0. I haven't done any special configuration for the certificate on the puppetmaster as the http report processor document

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. Jason, that's a very different use-case. Did that work in 2.7.17? It looks like what's happening is that the master is trying to verify the reports URL's SSL certificate, and is not finding a root CA certificate that it knows about. I assum

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jason Hancock. My use case was that when submitting a report with the http report processor to an ssl-enabled url, it would break despite using a valid purchased ssl certificate. First, I made sure that it was still failing on 3.1.1: $ rpm -qa | grep puppet-

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. A copy of the markdown for posterity. Pre-release RPM's = Please try these packages and let us know if they resolve [Puppet Labs Ticket #15561](https://projects.puppetlabs.com/issues/15561) * [puppet-3.1.1-20130329git7541bae.1.el6.noarch.rpm](h

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. ## Preview RPMs I've published Enterprise Linux 6 packages from our master branch at http://git.io/tWBvcA These packages may have dependencies from the Puppet Labs release repository, which can be configured using yum install

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Dustin Mitchell wrote: > Hopefully my understanding from the last few days is correct that this is > targeted for 3.2.0 now. That's correct, we're hoping to get this fixed up in Puppet 3.2. Bug #15561: Fix

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. Target version set to 3.2.0 Hopefully my understanding from the last few days is correct that this is targeted for 3.2.0 now. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetl

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Poul H. Sørensen. Certificates that are signed by an Certificate Authority is likely to contain a '/' Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-87201 * Aut

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. I'm going to try to describe, overall, what a solution for No 1 would look like. Hopefully we can get this fixed. I need to figure out whether I was incorrect in comment 20 - I think it *is* possible to set up a certificate without a '/' char

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Poul H. Sørensen. We just got bit by this, when we tried to use officially signed certificates ourselves. I think that this issue actual consists of (at least) two problems. I have full understanding for the problems that occur due to using the certname as (p

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. The best workaround I've found is to just back out the patch. It's relatively small and easy to apply, although it does mean rolling your own packages. Bug #15561: Fix for CVE-2012-3867 is too restrictiv

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Rob Hendelman. This is affecting us here as well. I'm trying to setup the puppet server to submit reports to our puppet report server via apache2+passenger with ssl & I'm getting "Report processor failed: Certname "$certname_with_slashes_in_it" must not conta

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Yuri Arabadji wrote: > okay, what if you try href="https://github.com/puppetlabs/puppet/pull/1490";>https://github.com/puppetlabs/puppet/pull/1490 > ? tnx. Unfortunately this change does not sufficiently address the root cause of the problem, and

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Yuri Arabadji. okay, what if you try https://github.com/puppetlabs/puppet/pull/1490";>https://github.com/puppetlabs/puppet/pull/1490 ? tnx. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jason Hancock. You can also run into this bug when using the http report processor submitting to an https reporturl where the certificate has a '/' in it. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://proje

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Nicola V. adam stokes wrote: > Here is our bug report for this case if you wish to subscribe to that as well: > > http://launchpad.net/bugs/1068145 Hi Adam, yes, apparently that ticket is describing the issue we have. It looks like the bug report has been open

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by adam stokes. Nicola V wrote: > adam stokes wrote: > > How is this not considered a major problem? I would say from the amount of > > corporations using this product who are on distributions like Ubuntu LTS > > and even RHEL I still see this as a huge problem th

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Nicola V. adam stokes wrote: > How is this not considered a major problem? I would say from the amount of > corporations using this product who are on distributions like Ubuntu LTS and > even RHEL I still see this as a huge problem that should be addressed. >

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. Tag or not, this is unlikely to get fixed. It's still present in 3.0.2, anyway. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-82706 Author: Dust

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by adam stokes. Andrew Parker wrote: > As the 2.7.x line is winding down, I am removing the target at 2.7.x from > tickets in the system. The 2.7 line should only receive fixes for major > problems (crashes, for instance) or security problems. How is this not con

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Andrew Parker. Target version deleted (2.7.x) As the 2.7.x line is winding down, I am removing the target at 2.7.x from tickets in the system. The 2.7 line should only receive fixes for major problems (crashes, for instance) or security problems. --

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. OpenSSL *requires* a slash in the subject: [root@relabs07 ssl-master]# openssl req -new -newkey rsa:2048 -keyout ca/ca_key.pem-days 3650 -x509 -out ca/ca_crt.pem-subj 'foo' Generating a 2048 bit RSA private key ..

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Yuri Arabadji. Scott, you should try my patch and see if that helps. Both on master and agent. The problem is in CN extraction, which is very poorly coded. PL didn't test when puppet is fed with certs from external CA.

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Scott Bryant. Just adding in on this, hoping this is in the right place.. Having the following issue with creating the certs using puppet. Info: Creating a new SSL key for xx.soe.local Error: Could not request certificate: Certname "/c=--/st=somestate/l=

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Yuri Arabadji wrote: > What if you apply patch from #17879? Thanks. I updated that ticket with more information. I don't understand how that patch addresses this issue. -Jeff Bug #15561: Fix for CVE-2012-3

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Yuri Arabadji. What if you apply patch from #17879? Thanks. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-78476 Author: Dustin Mitchell Status: Accepted Priority:

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. I'm reconsidering my desire to use certificate chainging, since puppetlabs doesn't support it (really, SSL is barely supported at all). But I don't think I'll be able to get to the point of having cert names that fit this pattern. I'll probab

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Matt Wise. Jeff, This should impact anybody trying to upgrade from Puppet 2.7.14 to a newer version who has created their own SSL certificate for the Puppet servers, rather than relying on the internal mechanism to dynamically generate a 'generic' cert. A sp

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Jeff McCune. Matt Wise wrote: > Jeff, > This bug is still sitting open and affects all versions of Puppet after > 2.7.18. Here I am trying to upgrade to 3.0.1, and I find the bug still > exists. This has been sitting for 5 months now. Not fixing a bug as seri

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Matt Wise. Priority changed from Normal to Urgent Jeff, This bug is still sitting open and affects all versions of Puppet after 2.7.18. Here I am trying to upgrade to 3.0.1, and I find the bug still exists. This has been sitting for 5 months now. Not fixing a

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by adam stokes. Hi, Curious if we could get an update on this particular issues progress? I realize there are a lot of factors involved so any information you can give would be very appreciated. Thanks Adam Bug #15561: Fi

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. (bringing the convo back here from the pull req) dpittman: > @jeffmccune is the last person I know who looked at this, but because of some > horrible internal deficiencies allowing / will actually break various parts > of the certificate handl

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Ben Jones. +1 for hoping this was going to be fixed in 2.7.19. This bit us just as we were migrating to use our own CA. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#cha

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Nicola V. Dustin Mitchell wrote: > Nicola, at a guess, Ubuntu backported the "security fix" for CVE-2012-3867 > into 2.7.11. So you can help out by ensuring that they also backport the fix > to the fix, when it's ready :) > > I was hoping this would be fixed

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Dustin Mitchell. Nicola, at a guess, Ubuntu backported the "security fix" for CVE-2012-3867 into 2.7.11. So you can help out by ensuring that they also backport the fix to the fix, when it's ready :) I was hoping this would be fixed in 2.7.19 - having to blac

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Nicola V. Wojtek B wrote: > Impact data as requested: > After upgrading to 2.7.13 -> 2.7.18 (versions in debian testing) no SSL > connections are possible between agents and masters. > > It seems that only setups with externally signed certificates are affected

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Matt Wise. This bug just bit us as well for a few hours... This is definitely a bug, its entirely normal to have '/' characters in a certificate name. Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects

[Puppet - Bug #15561] Fix for CVE-2012-3867 is too restrictive

Issue #15561 has been updated by Wojtek B. Impact data as requested: After upgrading to 2.7.13 -> 2.7.18 (versions in debian testing) no SSL connections are possible between agents and masters. It seems that only setups with externally signed certificates are affected. Our puppet-only sub-set