On Sun, 2007-11-25 at 14:23 +0100, David Schmitt wrote:> Hi *!
>
> Just a heads up. The recent issues with the Ruby SSL Security Fix are
> now available on Debian too.
>
> I''ve updated the infos on
> http://reductivelabs.com/trac/puppet/wiki/RubySSL-2007-006
>
> Summary:
>
> DSA 1410-1 and DSA 1411-1 updating ruby1.8 to 1.8.5-4etch1 cause puppet
> to fail, if the puppetmaster has no certificate matching the value of
> the client''s "server" parameter, which is
"puppet" by default.
Excellent writeup - I added a little blurb about fixing puppet: URL''s
in
the manifests, too.
The one thing I''d change in addition to that is calling the server side
fix a ''workaround'' - I called it that initially, but after
some more
digging into the issue, I think that is actually the correct fix. (Using
DerekW''s subjectAltName patches is equally correct but requires the
very
latest from the trunk, and can''t be done with a released version of
puppet)
Am _very_ strongly opposed to turning off the hostname check altogether
- it effectively reverts a ruby security fix that has a CVE on it, and
changes the behavior of ruby''s ssl connections in a way that is almost
impossible to find out for an average user. Since compromising a server
cert gives you effectively root console access on all the clients, I''d
be extremely careful with something like that.
David