This release is the final maintenance release of the 2.6.x series of Puppet.
Further releases in this series will only be issues to address
security concerns.
This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.6.13.tar.gz
See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected version of 2.6.13
http://projects.puppetlabs.com/projects/puppet/
2.6.13 Release Notes
==Fix #10739 Provide default subjectAltNames while bootstrapping master
Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:
DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>
The fix for #2848, prevented subjectAltNames from ever being
implicitly added at signing time. But during this change, the default
subjectAltNames behavior was accidentally removed.
This commit restores the ''defaulting'' behavior that existed
previously, but only when bootstrapping the initial master.
Additionally, default subjectAltNames are only ever added when
generating the master''s certificate signing request, not at signing
time. This is important, because it ensures all subjectAltNames
originate from the CSR and are subject to our internal signing policy.
The code now requires that all of the following be true in order to
add default subjectAltNames to the CSR:
1. We are a CA and master
2. We''re signing the master''s cert, not self-signing the
CA
3. The CSR is for the current host
4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names]
5. The master can resolve its fqdn
These should only ever be true when bootstrapping the initial
master. In particular, it should never be true for the CA''s
self-signed cert, for remote agents, or for servers that are either
masters or CAs, but not both.
The fqdn requirement existed previously, and so the same behavior has
been restored.
Note if Puppet[:dns_alt_names] are specified when bootstrapping the
master, then we do not merge the default options -- it''s either one
of
the other, but not both.
Fix #10289 Add an ext script to upload facts to inventory server
This script, ext/upload_facts, will read facts from the master''s
yaml
dir and save them to the facts terminus. The intended use of this is
when the facts terminus is set to inventory_service, to be run
periodically via cron to ensure facts are uploaded even if the
inventory_service becomes temporarily unavailable. It supports a
--minutes option, which will limit the facts uploaded to only those
added in the last n minutes.
#10289 (continued) Add a safe alternative to REST for inventory service
With the default implementation of the inventory service, with a
terminus REST and cache YAML, a failed upload to the inventory service
would cause compilation to fail. This means the inventory service was a
single point of failure for the entire Puppet infrastructure. Now, we
introduce an inventory_service terminus which can be used in place of
the REST terminus, and will absorb failures, allowing compilation to
continue.
2.6.13 Changelog Highlights
==* e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master
* 9dfd011 (#5617) Puppet queue logging
* aa2a762 (#10289) Add an ext script to upload facts to inventory server
* 5129d38 (#10289) Add a safe alternative to REST for inventory service
* 397a506 (#10244) Restore Mongrel XMLRPC functionality
* bb224dd (#8770) Don''t fail to set supplementary groups when changing
user to root
* 2a0de12 (#8770) Always fully drop privileges when changing user
* d7c9c76 (#8740) Do not enumerate files in the root directory.
* fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match
* 89c021c (#8418) Fix inspect app to have the correct run_mode
* b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum
* 111a4b5 (#6857) Password disclosure when changing a user''s password
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.