Puppet users - Oct 2011 - Announce: Puppet 2.7.6 Available [ security/feature updates]

Puppet 2.7.6 is a feature and security update release in the 2.7.x branch.

The security changes in 2.7.6 addres CVE-2011-3872
* CVE-2011-3872, Altnames Vulnerability

For more details on this vulnerability, follow the link on our
blog post:
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/

Other information available at:  http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2011-3872


Puppet 2.7.6 is available as of now.  Changelog entries are available below.
More detailed information is available on our Release Notes page.

Detailed feature release notes are available:

https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.6


This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.7.6.tar.gz

RPM''s are available at http://yum.puppetlabs.com/el or /fedora

Debs are available on http://apt.puppetlabs.com (lenny requires
backports enabled)

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.6
http://projects.puppetlabs.com/projects/puppet/




Commits:

= Changes for 2.7.6 
0d4494c Updated CHANGELOG for 2.7.6
(See
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/)

= Fixes due to CVE-2011-3872: see
2011841 Improve the error message when a CSR is rejected
afff3df Allow a master to bootstrap itself with dns_alt_names and autosign
388365e (maint) Remove ssl dir before starting a master with DNS alt names
e4c64c7 Fix failing CA Interface specs on Ruby 1.9
9ee1215 Fix some inconsistencies from merging
8144939 Add support for DNS alt names to `puppet ca`
2ba56e3 More 1.8.5 compatibility fixes.
6257188 Better 1.8.5 compatible implementation of `lines`.
4ba4db7 (#2848) Config options require ''_'', not
''-''.
493f8d1 Add --allow-dns-alt-names option to `puppet certificate sign`
0cc8936 Add support for dns-alt-names option to `puppet certificate generate`
c65236d Ruby 1.8.5 compatibility changes in tests and code.
6c37623 Add `lines` alias for `each_line` in Ruby 1.8.5.
e29eb6a s/not_to/should_not/ for older versions of RSpec 2.
f1f5298 (#2848) Eliminate redundant `master_dns_alt_names`.
3a8b376 (#2848) Remove the legacy SSLCertificates code
28dead0 (#2848) Rework the xmlrpc CA handler to use the modern SSL code
a644514 (#2848) Remove unused xmlrpc code
2b1ad43 (#2848) Consistent return values from `subject_alt_names` accessors.
d8516d9 (#2848) Consistently use `subject_alt_names` as accessor name.
0b45f4c (#2848) Don''t strip the subjectAltName label when listing.
99488f3 (#2848) Don''t enable `emailProtection` for server keys.
f1285a4 (#2848) Only mark `subjectAltName` critical if `subject` is empty.
e65a88e (#2848) Migrate `dns-alt-names` back to settings.
b876c39 Wire up the `setbycli` slot in Puppet settings.
a53f2f2 (#2848) rename subject-alt-name option to dns-alt-names
bc2267a (#2848) Rename `certdnsnames` to match new behaviour.
a720499 (#2848) Use `certdnsnames` when bootstrapping a local master.
6e3f529 (#2848) CSR subjectAltNames handling while signing.
978b65c (#2848) List subject alt names in output of puppet cert --list
7460a5e (#7224) Add a helper to Puppet::SSL::Certificate to retrieve
alternate names
94345eb (#2848) Rewrite SSL Certificate Factory, fixing `subjectAltName` leak.
a729d90 (#2848) Reject unknown (== all) extensions on the CSR.
f4fc11d (#2848) extract the subjectAltName value from the CSR.
d64b01b (#2848) Set `certdnsnames` values into the CSR.
78a01a2 (#6928) Don''t blow up when the method is undefined...

505d8d6 Updating for 2.7.6rc3
43d1e38 (#9996) Restore functionality for multi-line commands in exec resources
bedf7d2 Updated CHANGELOG for 2.7.6rc2
d457763 (#9832) General StoreConfigs regression.
245dfb7 Updated CHANGELOG for 2.7.6rc1
2958b05 maint: Deal with [].to_s problem in 1.9.2
9c25af4 (#9027) Get rid of spurious info messages in groupadd
1f25c20 (#8411) Fix change group for POSIX file provider
599642d Fix problem with set_mode (chmod) behavior on different test
environments.
b43765d Undo change to failing test on 1.8.5
c275a51 Resist directory traversal attacks through indirections.
d759f84 (#9838) Return the tranaction report when doing a ral save
127f83e (#9837) Split parameter pruning from manifest formatting
9d5ce00 (#9837) Move resource formatting method to Puppet::Resource
86230d8 (#9837) Move properties in prep to move proc to method
bf952e1 (#9837) Make a clearer variable name in the specs
6885c36 (#9837) Call puppet apply to avoid deprecation warning
93f8057 (#9837) Extract methods from the main section of the resource
application
5d33214 (#9837) Start the cleanup of the puppet resource application
54a2565 (#9832) Test failures with some ActiveRecord versions.
2bf8004 Updates for 2.6.11
8343077 (#9832) 2.7.4 StoreConfigs regression with PostgreSQL.
dce82ea (#9458) Require main puppet module
e158b26 (#9793) "secure" indirector file backed terminus base class.
343c7bd (#9792) Predictable temporary filename in ralsh.
88512e8 Drop privileges before creating and chmodding SSH keys.
6533292 (#9328) Retrieve user and group SIDs on windows.
2775c21 (#9794) k5login can overwrite arbitrary files as root
e7a6995 (#9794) k5login can overwrite arbitrary files as root
408d117 Updated CHANGELOG for 2.6.10
ec5a32a Update spec and lib/puppet.rb for 2.6.10 release
4e8d3a1 (#9775) Only list managed resources in the resources file
51b33d1 (#9326) Support plaintext passwords in Windows ''user''
provider.
fe2de81 Resist directory traversal attacks through indirections.
5fea1dc Fix issues with Windows based file URIs
1a13d24 Simplify absolute path detection
a163cd5 Eliminate duplicate absolute path detection
0ce60a5 Added methods for manipulating URI and file paths
71ba92c Restrict the absolute path regex to the start of the string
1edf767 Move group management into providers
15149c1 Remove duplicate SID resolution code
f932511 Move owner management into providers
f05fc83 Add platform-specific metadata collectors
db0b4fb Make string_to_sid_ptr block optional
7fc6baf Add the ability to retrieve user and group SIDs
22bfd9c Move mode management into the providers
4c3aae8 Fix typo bug that prevented FILE_DELETE_CHILD from being set
7de0a80 Sub away trailing backslashes at the end of sources on Windows
44cb1f1 Refactor autorequire of parent to use pathname with ancestors
1300e0a Remove unnecessary Windows-on-non-Windows-master code for path parameter
1f9b57f Cleanup file type integration tests
8d21262 Cleanup and improve coverage of file type unit tests
0a92a70 Resist directory traversal attacks through indirections.
8b6a775 Call Array#join explicitly on command
ae74c68 Fix failing SSL Host test introduced by b6a67edc
37a1975 (#4549) Fix templates to be able to call all functions
a74e56d Expand paths in catalog_spec for windows testing
8d86e5a (9547) Minor mods to acceptance tests
8ec3c7b (#4135) Update pluginsync to only load ruby files.
0c8a0c7 Fix order dependent test failures relating to ADSI
c0edb76 (#9186) Fix tests that fail on 2008 when running as SYSTEM
8e14de6 (#9186) Handle when running under non ''user'' contexts
7595475 Fix device.conf error reporting
1d3a3a7 Fix #9164 - allow ''-'' in device certificate names
b6a67ed Fix #7982 - puppet device doesn''t reset all cached attributes
ba1f469 (#9186) Change to shared_examples_for
b27b013 (#8410) Fix child exit status on Windows
42c9982 (#9186) Add the ability to get/set windows permissions
d34d28d (#9435) Gracefully handle when syslog feature is unavailable
f013c65 (#9435) Fix absolute path matching for file log destinations
ea88745 (#9329) Disable agent daemonizing on Windows

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.