This release is a maintenance release candidate of the 2.6.x series of Puppet.
This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.6.13rc1.tar.gz
See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected version of 2.6.13rc1
http://projects.puppetlabs.com/projects/puppet/
2.6.13rc1 Release Notes
==Fix #10739 Provide default subjectAltNames while bootstrapping master
Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:
DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>
The fix for #2848, prevented subjectAltNames from ever being
implicitly added at signing time. But during this change, the default
subjectAltNames behavior was accidentally removed.
This commit restores the ''defaulting'' behavior that
existed
previously, but only when bootstrapping the initial master.
Additionally, default subjectAltNames are only ever added when
generating the master''s certificate signing request, not at signing
time. This is important, because it ensures all subjectAltNames
originate from the CSR and are subject to our internal signing policy.
The code now requires that all of the following be true in order to
add default subjectAltNames to the CSR:
1. We are a CA and master
2. We''re signing the master''s cert, not self-signing the
CA
3. The CSR is for the current host
4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names]
5. The master can resolve its fqdn
These should only ever be true when bootstrapping the initial
master. In particular, it should never be true for the CA''s
self-signed cert, for remote agents, or for servers that are either
masters or CAs, but not both.
The fqdn requirement existed previously, and so the same behavior has
been restored.
Note if Puppet[:dns_alt_names] are specified when bootstrapping the
master, then we do not merge the default options -- it''s either one
of
the other, but not both.
Fix #10289 Add an ext script to upload facts to inventory server
This script, ext/upload_facts, will read facts from the master''s
yaml
dir and save them to the facts terminus. The intended use of this is
when the facts terminus is set to inventory_service, to be run
periodically via cron to ensure facts are uploaded even if the
inventory_service becomes temporarily unavailable. It supports a
--minutes option, which will limit the facts uploaded to only those
added in the last n minutes.
#10289 (continued) Add a safe alternative to REST for inventory service
With the default implementation of the inventory service, with a
terminus REST and cache YAML, a failed upload to the inventory service
would cause compilation to fail. This means the inventory service was a
single point of failure for the entire Puppet infrastructure. Now, we
introduce an inventory_service terminus which can be used in place of
the REST terminus, and will absorb failures, allowing compilation to
continue.
2.6.13rc1 Changelog Highlights
==* e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master
* 9dfd011 (#5617) Puppet queue logging
* aa2a762 (#10289) Add an ext script to upload facts to inventory server
* 5129d38 (#10289) Add a safe alternative to REST for inventory service
* 397a506 (#10244) Restore Mongrel XMLRPC functionality
* bb224dd (#8770) Don''t fail to set supplementary groups when changing
user to root
* 2a0de12 (#8770) Always fully drop privileges when changing user
* d7c9c76 (#8740) Do not enumerate files in the root directory.
* fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match
* 89c021c (#8418) Fix inspect app to have the correct run_mode
* b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum
* 111a4b5 (#6857) Password disclosure when changing a user''s password
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
I would think that a bug fix for #11143 should be in the next release. On Dec 5, 2011, at 2:47 PM, Matthaus Litteken wrote:> This release is a maintenance release candidate of the 2.6.x series of Puppet. > > This release is available for download at: > http://puppetlabs.com/downloads/puppet/puppet-2.6.13rc1.tar.gz > > See the Verifying Puppet Download section at: > http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet > > Please report feedback via the Puppet Labs Redmine site, using an > affected version of 2.6.13rc1 > http://projects.puppetlabs.com/projects/puppet/ > > 2.6.13rc1 Release Notes > ==> Fix #10739 Provide default subjectAltNames while bootstrapping master > > Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set, > puppet would add default subjectAltNames to any non-CA cert it signed, > including agent certs. The subjectAltNames were of the form: > > DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain> > > The fix for #2848, prevented subjectAltNames from ever being > implicitly added at signing time. But during this change, the default > subjectAltNames behavior was accidentally removed. > > This commit restores the ''defaulting'' behavior that existed > previously, but only when bootstrapping the initial master. > Additionally, default subjectAltNames are only ever added when > generating the master''s certificate signing request, not at signing > time. This is important, because it ensures all subjectAltNames > originate from the CSR and are subject to our internal signing policy. > > The code now requires that all of the following be true in order to > add default subjectAltNames to the CSR: > > 1. We are a CA and master > 2. We''re signing the master''s cert, not self-signing the CA > 3. The CSR is for the current host > 4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names] > 5. The master can resolve its fqdn > > These should only ever be true when bootstrapping the initial > master. In particular, it should never be true for the CA''s > self-signed cert, for remote agents, or for servers that are either > masters or CAs, but not both. > > The fqdn requirement existed previously, and so the same behavior has > been restored. > > Note if Puppet[:dns_alt_names] are specified when bootstrapping the > master, then we do not merge the default options -- it''s either one of > the other, but not both. > > Fix #10289 Add an ext script to upload facts to inventory server > > This script, ext/upload_facts, will read facts from the master''s yaml > dir and save them to the facts terminus. The intended use of this is > when the facts terminus is set to inventory_service, to be run > periodically via cron to ensure facts are uploaded even if the > inventory_service becomes temporarily unavailable. It supports a > --minutes option, which will limit the facts uploaded to only those > added in the last n minutes. > > #10289 (continued) Add a safe alternative to REST for inventory service > > With the default implementation of the inventory service, with a > terminus REST and cache YAML, a failed upload to the inventory service > would cause compilation to fail. This means the inventory service was a > single point of failure for the entire Puppet infrastructure. Now, we > introduce an inventory_service terminus which can be used in place of > the REST terminus, and will absorb failures, allowing compilation to > continue. > > > > 2.6.13rc1 Changelog Highlights > ==> * e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master > * 9dfd011 (#5617) Puppet queue logging > * aa2a762 (#10289) Add an ext script to upload facts to inventory server > * 5129d38 (#10289) Add a safe alternative to REST for inventory service > * 397a506 (#10244) Restore Mongrel XMLRPC functionality > * bb224dd (#8770) Don''t fail to set supplementary groups when changing > user to root > * 2a0de12 (#8770) Always fully drop privileges when changing user > * d7c9c76 (#8740) Do not enumerate files in the root directory. > * fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match > * 89c021c (#8418) Fix inspect app to have the correct run_mode > * b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum > * 111a4b5 (#6857) Password disclosure when changing a user''s password > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
James Turnbull
2011-Dec-08 04:36 UTC
Re: [Puppet Users] Announce: Puppet 2.6.13rc1 Available
Jo Rhett wrote:> I would think that a bug fix for #11143 should be in the next release. >The issue hasn''t had more the most basic triage done and we don''t even have root cause. Nigel and Engineering may have a view on it but I would suggest it won''t make .13 which is already in RC. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 To schedule a meeting with me: http://tungle.me/jamtur01 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.