This release is the final maintenance release of the 2.6.x series of Puppet. Further releases in this series will only be issues to address security concerns. This release is available for download at: http://puppetlabs.com/downloads/puppet/puppet-2.6.13.tar.gz See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 2.6.13 http://projects.puppetlabs.com/projects/puppet/ 2.6.13 Release Notes ==Fix #10739 Provide default subjectAltNames while bootstrapping master Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set, puppet would add default subjectAltNames to any non-CA cert it signed, including agent certs. The subjectAltNames were of the form: DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain> The fix for #2848, prevented subjectAltNames from ever being implicitly added at signing time. But during this change, the default subjectAltNames behavior was accidentally removed. This commit restores the ''defaulting'' behavior that existed previously, but only when bootstrapping the initial master. Additionally, default subjectAltNames are only ever added when generating the master''s certificate signing request, not at signing time. This is important, because it ensures all subjectAltNames originate from the CSR and are subject to our internal signing policy. The code now requires that all of the following be true in order to add default subjectAltNames to the CSR: 1. We are a CA and master 2. We''re signing the master''s cert, not self-signing the CA 3. The CSR is for the current host 4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names] 5. The master can resolve its fqdn These should only ever be true when bootstrapping the initial master. In particular, it should never be true for the CA''s self-signed cert, for remote agents, or for servers that are either masters or CAs, but not both. The fqdn requirement existed previously, and so the same behavior has been restored. Note if Puppet[:dns_alt_names] are specified when bootstrapping the master, then we do not merge the default options -- it''s either one of the other, but not both. Fix #10289 Add an ext script to upload facts to inventory server This script, ext/upload_facts, will read facts from the master''s yaml dir and save them to the facts terminus. The intended use of this is when the facts terminus is set to inventory_service, to be run periodically via cron to ensure facts are uploaded even if the inventory_service becomes temporarily unavailable. It supports a --minutes option, which will limit the facts uploaded to only those added in the last n minutes. #10289 (continued) Add a safe alternative to REST for inventory service With the default implementation of the inventory service, with a terminus REST and cache YAML, a failed upload to the inventory service would cause compilation to fail. This means the inventory service was a single point of failure for the entire Puppet infrastructure. Now, we introduce an inventory_service terminus which can be used in place of the REST terminus, and will absorb failures, allowing compilation to continue. 2.6.13 Changelog Highlights ==* e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master * 9dfd011 (#5617) Puppet queue logging * aa2a762 (#10289) Add an ext script to upload facts to inventory server * 5129d38 (#10289) Add a safe alternative to REST for inventory service * 397a506 (#10244) Restore Mongrel XMLRPC functionality * bb224dd (#8770) Don''t fail to set supplementary groups when changing user to root * 2a0de12 (#8770) Always fully drop privileges when changing user * d7c9c76 (#8740) Do not enumerate files in the root directory. * fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match * 89c021c (#8418) Fix inspect app to have the correct run_mode * b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum * 111a4b5 (#6857) Password disclosure when changing a user''s password -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.