Home / mailings [USN-1238-2] Puppet regression
Posted on 25 October 2011
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1238-2
October 25, 2011
puppet regression
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
Summary:
USN-1238-1 caused a regression on Ubuntu 11.04.
Software Description:
- puppet: Centralized configuration management
Details:
USN-1238-1 fixed vulnerabilities in Puppet. The upstream patch introduced a
regression in Ubuntu 11.04 when executing certain commands. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Puppet incorrectly handled the non-default
"certdnsnames" option when generating certificates. If this setting was
added to puppet.conf, the puppet master=E2=80=99s DNS alt names were added=
to the
X.509 Subject Alternative Name field of all certificates, not just the
puppet master=E2=80=99s certificate. An attacker that has an incorrect age=
nt
certificate in his possession can use it to impersonate the puppet master
in a man-in-the-middle attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
puppet-common 2.6.4-2ubuntu2.6
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1238-2
http://www.ubuntu.com/usn/usn-1238-1
https://launchpad.net/bugs/881361
Package Information:
https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.6
