File puppet-3.8.5-CVE-2020-7942.patch of Package puppet.15204
SUSE notes
----------
We partially used the upstream patch (below) but we didn't
change the default value of strict_hostname_checking variable to 'true'
due to potential disruption of customer's infrastructure. We also added
a comment in the configuration file puppet.conf to highlight the issue.
Upstream commit (altered)
------------------------
From df826baa0ed1f3ebb182798aa6e04a9e8f35fd80 Mon Sep 17 00:00:00 2001
From: Justin Stoller <justin.stoller@gmail.com>
Date: Tue, 11 Feb 2020 11:59:59 -0800
Subject: [PATCH] (PUP-10238) Change default value of strict_hostname_checking to true
---
Index: puppet-3.8.5/lib/puppet/defaults.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/defaults.rb
+++ puppet-3.8.5/lib/puppet/defaults.rb
@@ -1138,13 +1138,23 @@ EOT
to make requests on. Both applications use this setting to get the port.",
},
:node_name => {
- :default => "cert",
+ :default => 'cert',
+ :type => :enum,
+ :values => ['cert', 'facter'],
+ :deprecated => :completely,
+ :hook => proc { |val|
+ if val != 'cert'
+ Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
+ end
+ },
:desc => "How the puppet master determines the client's identity
and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
in particular for determining which 'node' statement applies to the client.
Possible values are 'cert' (use the subject's CN in the client's
certificate) and 'facter' (use the hostname that the client
- reported in its facts)",
+ reported in its facts).
+
+ This setting is deprecated, please use explicit fact matching for classification.",
},
:bucketdir => {
:default => "$vardir/bucket",
@@ -1275,9 +1285,18 @@ EOT
},
:strict_hostname_checking => {
:default => false,
+ :type => :boolean,
:desc => "Whether to only search for the complete
- hostname as it is in the certificate when searching for node information
- in the catalogs.",
+ hostname as it is in the certificate when searching for node information
+ in the catalogs or to match dot delimited segments of the cert's certname
+ and the hostname, fqdn, and/or domain facts.
+
+ This setting is deprecated and will be removed in a future release.",
+ :hook => proc { |val|
+ if val != true
+ Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
+ end
+ }
}
)
Index: puppet-3.8.5/ext/redhat/puppet.conf
===================================================================
--- puppet-3.8.5.orig/ext/redhat/puppet.conf
+++ puppet-3.8.5/ext/redhat/puppet.conf
@@ -11,6 +11,17 @@
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
+ # Whether to only search for the complete hostname as it is in the
+ # certificate when searching for node information in the catalogs.
+ #
+ # Setting strict_hostname_checking to false is deprecated and will be
+ # removed in a future release. Please use regular expressions in your node
+ # declarations or explicit fact matching for classification (though be
+ # warned that fact based classification may be considered insecure).
+ #
+ # See also: https://puppet.com/security/cve/CVE-2020-7942/
+ #strict_hostname_checking = true
+
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
