File puppet-0.25.4-CVE-2011-3872.patch of Package puppet

Overview Repositories Revisions Requests Users Attributes Meta

File puppet-0.25.4-CVE-2011-3872.patch of Package puppet

--- puppet-0.25.4.orig/lib/puppet/defaults.rb
+++ puppet-0.25.4/lib/puppet/defaults.rb
@@ -222,9 +222,21 @@
             to the fully qualified domain name.",
             :call_on_define => true, # Call our hook with the default value, so we're always downcased
             :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }},
-        :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
-            If it's anything other than an empty string, it will be used as an alias in the created
-            certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
+        :certdnsnames => {:default => '',
+            :desc => "The DNS names on the Server certificate as a
+            colon-separated list.  If it's anything other than an empty string,
+            it will be used as an alias in the created certificate.  By
+            default, only the server gets an alias set up, and only for
+            'puppet'.",
+            :hook => proc { |value|
+                msg = <<WARN
+The `certdnsnames` setting is no longer functional, after CVE-2011-3872. We
+ignore the value completely. See http://puppetlabs.com/security/cve/3872 for
+more information"
+WARN
+                puts msg if value and value != ''
+            }
+        },
         :certdir => {
             :default => "$ssldir/certs",
             :owner => "service",
--- puppet-0.25.4.orig/lib/puppet/sslcertificates.rb
+++ puppet-0.25.4/lib/puppet/sslcertificates.rb
@@ -57,16 +57,7 @@
             key_usage = %w{cRLSign keyCertSign}
         when :server
             basic_constraint = "CA:FALSE"
-            dnsnames = Puppet[:certdnsnames]
             name = hash[:name].to_s.sub(%r{/CN=},'')
-            if dnsnames != ""
-                dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
-                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-            elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
-                subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
-                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-                subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
-            end
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth emailProtection}
         when :ocsp

Places

File puppet-0.25.4-CVE-2011-3872.patch of Package puppet

Places