heriyanto
2011-Oct-25 03:28 UTC
[Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability
Base on CVE-2011-3872, i want to upgrade all puppet master and agent, my plan upgrade puppet master first then the agent, whether the configuration I can still be used? if use version 2.6.12 as a puppet master and agent still 2.6.6 for temporary then after that i upgrade to 2.6.12 for the agent? because my configuration already complex, and also using certdnsnames. Or anybody have good plan for upgrading? i can''t recreate CA because i have much hosts. Best regards, Heriyanto -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Oct-25 16:12 UTC
Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability
On Mon, Oct 24, 2011 at 8:28 PM, heriyanto <shell.heriyanto@gmail.com>wrote:> Base on CVE-2011-3872, i want to upgrade all puppet master and agent, > my plan upgrade puppet master first then the agent, whether the > configuration I can still be used? > if use version 2.6.12 as a puppet master and agent still 2.6.6 for > temporary then after that i upgrade to 2.6.12 for the agent? > because my configuration already complex, and also using certdnsnames. > Or anybody have good plan for upgrading? i can''t recreate CA because i have > much hosts. >Upgrading the master is the important part, not the agents, but you should ultimately do them as well anyway. How many hosts do you have? If you can cluster SSH commands to them you can follow the SSH recipe for migrating them to a new CA. https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown or if you can cope with a webrick master, we have a recipe there that will work for 2.6.x and 2.7.x webrick puppet masters. https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick If you have some other setup, you may be able to fork that module and modify it to work with your deployment.> > Best regards, > Heriyanto > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@** > googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at http://groups.google.com/** > group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> > . > >-- Nigel Kersten Product Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
heriyanto
2011-Oct-26 03:31 UTC
Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability
Thank for your reply Nigel, my host is about hundreds. Is it ok if i just upgrade puppetmaster to 2.6.12 and still using old puppet.conf with certdnsnames? if is work well, after that i upgrade all my agent. Thank you for any reply. On 10/25/2011 11:12 PM, Nigel Kersten wrote:> > > On Mon, Oct 24, 2011 at 8:28 PM, heriyanto <shell.heriyanto@gmail.com > <mailto:shell.heriyanto@gmail.com>> wrote: > > Base on CVE-2011-3872, i want to upgrade all puppet master and agent, > my plan upgrade puppet master first then the agent, whether the > configuration I can still be used? > if use version 2.6.12 as a puppet master and agent still 2.6.6 for > temporary then after that i upgrade to 2.6.12 for the agent? > because my configuration already complex, and also using certdnsnames. > Or anybody have good plan for upgrading? i can''t recreate CA > because i have much hosts. > > > Upgrading the master is the important part, not the agents, but you > should ultimately do them as well anyway. > > How many hosts do you have? If you can cluster SSH commands to them > you can follow the SSH recipe for migrating them to a new CA. > > https://github.com/puppetlabs/puppetlabs-cve20113872/blob/master/README-ssh-only.markdown > > or if you can cope with a webrick master, we have a recipe there that > will work for 2.6.x and 2.7.x webrick puppet masters. > > https://github.com/puppetlabs/puppetlabs-cve20113872/tree/master/bin/webrick > > If you have some other setup, you may be able to fork that module and > modify it to work with your deployment. > > > > Best regards, > Heriyanto > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@ googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at http://groups.google.com/ > group/puppet-users?hl=en > <http://groups.google.com/group/puppet-users?hl=en>. > > > > > -- > Nigel Kersten > Product Manager, Puppet Labs > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Meier
2011-Oct-26 07:57 UTC
Re: [Puppet Users] [ask] Upgrade for CVE-2011-3872 AltNames Vulnerability
> Is it ok if i just upgrade puppetmaster to 2.6.12 and still using > old puppet.conf with certdnsnames?The certdnsnames have been abandonned in favor of a new option: http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames And if your current client certificates contain a master altSubjectName, you need to rollout a new (from the ground up) CA. Otherwise you''re still subject to a possible attack with old certs. The notes released by puppetlabs are quite detailed about that: http://puppetlabs.com/security/cve/cve-2011-3872/ Unfortunately, if you are affected, this issue is *not* fixed by simply updating a package. ~pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.