Hi there, On all my Debian and Ubuntu systems today I removed the /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the vulnerability in OpenSSL that caused weak keys to be generated. I did it to be safe, but can you confirm Puppet is affected by this bug? I wonder why nobody talks about this on the mailing-list. Maybe there are only RedHat, FreeBSD and Solaris users here? :-) See http://www.ubuntu.com/usn/usn-612-1 for details -- Jean-Baptiste Quenot http://caraldi.com/jbq/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Pieter Barrezeele
2008-May-15 15:27 UTC
[Puppet Users] Re: OpenSSL vulnerability on Debian
On 15 May 2008, at 17:25, Jean-Baptiste Quenot wrote:> > Hi there, > > On all my Debian and Ubuntu systems today I removed the > /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the > vulnerability in OpenSSL that caused weak keys to be generated. > > I did it to be safe, but can you confirm Puppet is affected by this > bug? I wonder why nobody talks about this on the mailing-list. Maybe > there are only RedHat, FreeBSD and Solaris users here? :-) > > See http://www.ubuntu.com/usn/usn-612-1 for detailsGo see here: http://wiki.debian.org/SSLkeys Cheers, Pieter. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On May 15, 2008, at 10:25 AM, Jean-Baptiste Quenot wrote:> > Hi there, > > On all my Debian and Ubuntu systems today I removed the > /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the > vulnerability in OpenSSL that caused weak keys to be generated. > > I did it to be safe, but can you confirm Puppet is affected by this > bug? I wonder why nobody talks about this on the mailing-list. Maybe > there are only RedHat, FreeBSD and Solaris users here? :-)There are plenty of Deb users here; IRC was full of this bug yesterday. Anything that uses SSL is affected by this bug, so yes, Puppet is, also. -- The trouble with the rat race is that even if you win, you''re still a rat. -- Lily Tomlin --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
The issue is fairly severe. If you don''t believe me, then believe HD. http://metasploit.com/users/hdm/tools/debian-openssl/ -miah On Thu, May 15, 2008 at 10:28 AM, Luke Kanies <luke@madstop.com> wrote:> > On May 15, 2008, at 10:25 AM, Jean-Baptiste Quenot wrote: > >> >> Hi there, >> >> On all my Debian and Ubuntu systems today I removed the >> /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the >> vulnerability in OpenSSL that caused weak keys to be generated. >> >> I did it to be safe, but can you confirm Puppet is affected by this >> bug? I wonder why nobody talks about this on the mailing-list. Maybe >> there are only RedHat, FreeBSD and Solaris users here? :-) > > There are plenty of Deb users here; IRC was full of this bug yesterday. > > Anything that uses SSL is affected by this bug, so yes, Puppet is, also. > > -- > The trouble with the rat race is that even if you win, you''re still a > rat. -- Lily Tomlin > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Thu, May 15, 2008 at 8:39 AM, Jeremiah Johnson <jeremiah.johnson@gmail.com> wrote:> > The issue is fairly severe. If you don''t believe me, then believe HD. > > http://metasploit.com/users/hdm/tools/debian-openssl/I have created a wiki page at http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL, which contains the basic overview of how to regenerate your SSL certificates, and includes a Capistrano task to do it for you. Adam -- HJK Solutions - We Launch Startups - http://www.hjksolutions.com Adam Jacob, Senior Partner T: (206) 508-4759 E: adam@hjksolutions.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
OoO Lors de la soirée naissante du jeudi 15 mai 2008, vers 17:25, "Jean-Baptiste Quenot" <jbq@caraldi.com> disait:> On all my Debian and Ubuntu systems today I removed the > /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the > vulnerability in OpenSSL that caused weak keys to be generated.> I did it to be safe, but can you confirm Puppet is affected by this > bug? I wonder why nobody talks about this on the mailing-list. Maybe > there are only RedHat, FreeBSD and Solaris users here? :-)BTW, I did generate known_hosts by gathering ssh keys with puppet. I have deleted all ssh host keys, regenerated them and let puppet rebuild system wide known hosts file. However, the database still contained old keys. I have deleted the whole database. Maybe, it would be convenient to store some kind of timestamp that will make an entry expire. For example, if an host doesn''t push one item to puppetmaster for one day, we can consider that this item does not exist any more and its entries may be removed. -- No fortunes found --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Digant C Kasundra
2008-May-15 19:53 UTC
[Puppet Users] Re: OpenSSL vulnerability on Debian
--On Thursday, May 15, 2008 05:25:34 PM +0200 Jean-Baptiste Quenot <jbq@caraldi.com> wrote:> Hi there, > > On all my Debian and Ubuntu systems today I removed the > /var/lib/puppet/ssl dir and let Puppet regenerate keys, because of the > vulnerability in OpenSSL that caused weak keys to be generated. > > I did it to be safe, but can you confirm Puppet is affected by this > bug? I wonder why nobody talks about this on the mailing-list. Maybe > there are only RedHat, FreeBSD and Solaris users here? :-) > > See http://www.ubuntu.com/usn/usn-612-1 for detailsWe''re a huge Debian shop and we are definitely doing the same thing. -- Digant C Kasundra <digant@stanford.edu> Technical Lead, ITS Unix Systems and Applications, Stanford University --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On May 15, 9:39 am, "Jeremiah Johnson" <jeremiah.john...@gmail.com> wrote:> The issue is fairly severe. If you don''t believe me, then believe HD. > > http://metasploit.com/users/hdm/tools/debian-openssl/Or believe the SANS Internet Storm Center: http://isc.sans.org/diary.html?storyid=4421 Threat level yellow. Haven''t seen that in awhile! -joshua --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
How are people updating clients? cron job aptitude update? packages ensure latest? cron-apt? is there a pre-seed file for some of the updates? maybe someone''s already done all of that and can post their module ? :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
gary wrote:> How are people updating clients? >I used the Capistrano task on the wiki - worked quite well :] http://reductivelabs.com/trac/puppet/wiki/RegenerateSSL> cron job aptitude update? > packages ensure latest? > cron-apt? > is there a pre-seed file for some of the updates? > > maybe someone''s already done all of that and can post their module ? :) > > >Regards, AJ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---