Ryan McKern
2014-Apr-15 17:40 UTC
[Puppet Users] Announce: Puppet Enterprise 2.8.6 is now available
Dear Puppet Enterprise Users, Puppet Enterprise 2.8.6 is now available. This is a security and bugfix release of Puppet Enterprise. All users of Puppet Enterprise 2.x are encouraged to upgrade when possible to Puppet Enterprise 2.8.6 Puppet Enterprise 2.8.6 includes fixes to address CVE-2014-0098, and CVE-2013-6438. For information on the bug fixes in this release, see http://docs.puppetlabs.com/pe/latest/appendix.html#release-notes We want to emphasize that Puppet Enterprise does not need to be patched for Heartbleed. No version of Puppet Enterprise has been shipped with a vulnerable version of OpenSSL, so Puppet Enterprise is not itself vulnerable to the security bug known as Heartbleed, and does not require a patch from Puppet Labs. However, some of your Puppet Enterprise-managed nodes could be running operating systems that include OpenSSL versions 1.0.1 or 1.0.2, and both of these are vulnerable to the Heartbleed bug. Since tools included in Puppet Enterprise, such as PuppetDB and the Console, make use of SSL certificates we believe the safest, most secure method for assuring the security of your Puppet-managed infrastructure is to regenerate your certificate authority and all OpenSSL certificates. We have outlined the remediation procedure to help make it an easy and fail-safe process. You'll find the details here: Remediation for Recovering from the Heartbleed Bug. We're here to help. If you have any issues with remediating the Heartbleed vulnerability, one of your authorized Puppet Enterprise support users can always log into the customer support portal. We'll continue to update the email list with any new information as it comes out. Additional Information Heartbleed and Puppet-Supported Operating Systems https://puppetlabs.com/blog/heartbleed-and-puppet-supported-operating-systems Heartbleed Update: Regeneration Still the Safest Path https://puppetlabs.com/blog/heartbleed-update-regeneration-still-safest-path As a current Puppet Enterprise user, you can upgrade to this new version as part of your annual subscription. If upgrading, it is recommended to upgrade your master and console servers first. As always, we want to hear about your experiences with Puppet Enterprise. If you have any questions about upgrading, be sure to get in touch with Puppet Labs Support. -- Ryan McKern Release Engineer *Join us at *PuppetConf 2014 <http://www.puppetconf.com/>*, *September 22-24* in San Francisco* *Register by May 30th to take advantage of the Early Adopter discount <http://links.puppetlabs.com/puppetconf-early-adopter> **—**save $349!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADj7mEfMh0beiyX8JrGRbVnCQ1HfJT%3DZMfeBrN9pT4AivWQSBw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.