Puppet users - Oct 2011 - [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability

Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
my plan upgrade puppet master first then the agent, whether the 
configuration I can still be used?
if use version 2.6.12 as a puppet master and agent still 2.6.6 for 
temporary then after that i upgrade to 2.6.12 for the agent?
because my configuration already complex, and also using certdnsnames.
Or anybody have good plan for upgrading? i can''t recreate CA because i 
have much hosts.

Best regards,
Heriyanto

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 24, 2011 at 8:28 PM, heriyanto
<shell.heriyanto@gmail.com>wrote:
> Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
> my plan upgrade puppet master first then the agent, whether the
> configuration I can still be used?
> if use version 2.6.12 as a puppet master and agent still 2.6.6 for
> temporary then after that i upgrade to 2.6.12 for the agent?
> because my configuration already complex, and also using certdnsnames.
> Or anybody have good plan for upgrading? i can''t recreate CA
because i have
> much hosts.
>
Upgrading the master is the important part, not the agents, but you should
ultimately do them as well anyway.

How many hosts do you have? If you can cluster SSH commands to them you can
follow the SSH recipe for migrating them to a new CA.

https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown

or if you can cope with a webrick master, we have a recipe there that will
work for 2.6.x and 2.7.x webrick puppet masters.

https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick

If you have some other setup, you may be able to fork that module and modify
it to work with your deployment.



>
> Best regards,
> Heriyanto
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users+unsubscribe@**
> googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
> For more options, visit this group at http://groups.google.com/**
>
group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
> .
>
>

-- 
Nigel Kersten
Product Manager, Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thank for your reply Nigel,
my host is about hundreds.
Is it ok if i just upgrade puppetmaster to 2.6.12 and still using old 
puppet.conf with certdnsnames?
if is work well, after that i upgrade all my agent.
Thank you for any reply.

On 10/25/2011 11:12 PM, Nigel Kersten wrote:
>
>
> On Mon, Oct 24, 2011 at 8:28 PM, heriyanto <shell.heriyanto@gmail.com 
> <mailto:shell.heriyanto@gmail.com>> wrote:
>
>     Base on CVE-2011-3872, i want to upgrade all puppet master and agent,
>     my plan upgrade puppet master first then the agent, whether the
>     configuration I can still be used?
>     if use version 2.6.12 as a puppet master and agent still 2.6.6 for
>     temporary then after that i upgrade to 2.6.12 for the agent?
>     because my configuration already complex, and also using certdnsnames.
>     Or anybody have good plan for upgrading? i can''t recreate CA
>     because i have much hosts.
>
>
> Upgrading the master is the important part, not the agents, but you 
> should ultimately do them as well anyway.
>
> How many hosts do you have? If you can cluster SSH commands to them 
> you can follow the SSH recipe for migrating them to a new CA.
>
>
https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown
>
> or if you can cope with a webrick master, we have a recipe there that 
> will work for 2.6.x and 2.7.x webrick puppet masters.
>
>
https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick
>
> If you have some other setup, you may be able to fork that module and 
> modify it to work with your deployment.
>
>
>
>     Best regards,
>     Heriyanto
>
>     -- 
>     You received this message because you are subscribed to the Google
>     Groups "Puppet Users" group.
>     To post to this group, send email to puppet-users@googlegroups.com
>     <mailto:puppet-users@googlegroups.com>.
>     To unsubscribe from this group, send email to
>     puppet-users+unsubscribe@ googlegroups.com
>     <mailto:puppet-users%2Bunsubscribe@googlegroups.com>.
>     For more options, visit this group at http://groups.google.com/
>     group/puppet-users?hl=en
>     <http://groups.google.com/group/puppet-users?hl=en>.
>
>
>
>
> -- 
> Nigel Kersten
> Product Manager, Puppet Labs
>
>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Is it ok if i just upgrade puppetmaster to 2.6.12 and still using  
> old puppet.conf with certdnsnames?
The certdnsnames have been abandonned in favor of a new option:  
http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames

And if your current client certificates contain a master  
altSubjectName, you need to rollout a new (from the ground up) CA.  
Otherwise you''re still subject to a possible attack with old certs.

The notes released by puppetlabs are quite detailed about that:  
http://puppetlabs.com/security/cve/cve-2011-3872/

Unfortunately, if you are affected, this issue is *not* fixed by  
simply updating a package.

~pete

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.