Bug 18640

not affected in mga5

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => INVALID

The bug is for Cauldron.

Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Upstream has issued an advisory on May 11:
https://puppet.com/security/cve/cve-2017-2295

The issue is resolved in Puppet 4.10.1.

Mageia 5 appears to be affected by this one.

Debian has issued an advisory for this on May 25:
https://www.debian.org/security/2017/dsa-3862

Whiteboard: (none) => MGA5TOO
Summary: puppet new security issue CVE-2016-2785 => puppet new security issues CVE-2016-2785 and CVE-2017-2295

Fedora has issued an advisory for CVE-2017-2295 on May 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MHVQ25R6UFHFJ7NXHYLNBG3BQ7M57THN/

RedHat says they're not affected by CVE-2016-2785, but the reason is nonsensical:
https://bugzilla.redhat.com/show_bug.cgi?id=1331024#c6

SUSE also says that they're not affected by CVE-2016-2785, with no explanation.

Gentoo says that Puppet 3.x is not affected by CVE-2016-2785.

I guess we can forget about that CVE?

Patch for CVE-2017-2295 for 4.2.1 for Puppet 4.2.1 added in Cauldron.

FYI, Fedora has updated Rawhide to 4.10.1, so we can sync that at some point.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Patch from Debian added for Mageia 5 to fix CVE-2017-2295.

Advisory:
========================

Updated puppet packages fix security vulnerability:

It was discovered that unrestricted YAML deserialisation of data sent from
agents to the server in the Puppet configuration management system could
result in the execution of arbitrary code (CVE-2017-2295).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295
https://puppet.com/security/cve/cve-2017-2295
https://www.debian.org/security/2017/dsa-3862
========================

Updated packages in core/updates_testing:
========================
puppet-3.6.2-3.1.mga5
puppet-server-3.6.2-3.1.mga5
vim-puppet-3.6.2-3.1.mga5
emacs-puppet-3.6.2-3.1.mga5

from puppet-3.6.2-3.1.mga5.src.rpm

Assignee: thierry.vignaud => qa-bugs
Severity: normal => critical

Minimal testing on x86_64 real hardware and apologies for the lengthy spiel.

Puppet is a complex system management tool best described as a "career builder" (wilcal) so all we can do is ensure that it builds and runs.  It is written in ruby so you may find it installing ruby packages as well.  This system already had those.

Quoting an internet site:
Open source Puppet helps you describe machine configurations in a declarative language, bring machines to a desired state, and keep them there through automation.

$ sudo systemctl enable puppet
$ sudo systemctl start puppet
$ systemctl status puppet
● puppet.service - Puppet agent
   Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled)
   Active: active (running) since Tue 2017-06-06 15:56:11 BST; 3h 43min ago
 Main PID: 26909 (puppet)
   CGroup: /system.slice/puppet.service
           └─26909 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize

A simple introduction at https://dzone.com/articles/puppet-beginners-concept-guide suggest a few commands  which show it working.

$ puppet --version
3.6.2
$ facter
Error: NetworkManager is not running.
architecture => x86_64
blockdevice_sda_model => Crucial_CT512MX1
blockdevice_sda_size => 512110190592
blockdevice_sda_vendor => ATA
blockdevice_sdb_model => Crucial_CT256MX1
blockdevice_sdb_size => 256060514304
.......................

plus lots more information about your system and hardware.

The tutorial also suggests running a scriptlet similar to this:
$ puppet apply -e "file{'/tmp/pup': ensure => 'directory'} file{ '/tmp/pup/et': ensure => 'present', content => 'look at me', require => File['/tmp/pup']}"
which produces this sort of output:
Error: NetworkManager is not running.
Notice: Compiled catalog for vega in environment production in 0.09 seconds
Notice: Finished catalog run in 0.02 seconds

It is easier to create a file containing the quoted code above, calling it mynode.pp;
$ cat mynode.pp
file{'/tmp/pup':
        ensure => 'directory'}
file{'/tmp/pup/et':
        ensure => 'present', content => 'look at me', require => File['/tmp/pup']}

$ puppet apply mynode.pp
Error: NetworkManager is not running.
Notice: Compiled catalog for vega in environment production in 0.09 seconds
Notice: /Stage[main]/Main/File[/tmp/pup]/ensure: created
Notice: /Stage[main]/Main/File[/tmp/pup/et]/ensure: created
Notice: Finished catalog run in 0.02 seconds

This creates /tmp/pup/ and /tmp/pup/et.
ls /tmp/pup
et

Finally:
$ sudo systemctl stop puppet
$ rm -rf /tmp/pup

Installed the listed packages - comment 6.

In the tutorial quoted earlier the puppet-server was not mentioned and trying to start it fails.  Unsure what this means - could do with some advice.

Restarted the puppet service and used the previous simple commands to show that the basic system was installed and working.  All editing done with emacs but syntax highlighting was not apparent even with the shebang line

#!/usr/bin/env puppet

added to the manifest file mynode.pp.
https://github.com/voxpupuli/puppet-mode says;
"Just visit Puppet manifests. The major mode is enabled automatically for Puppet manifests with the extension .pp."

Everything worked as before.
$ cat /tmp/pup/et
look at me 

Giving this the OK within the limitations of the testing.

CC: (none) => tarazed25

Similar testing on i586. Advisory committed to svn. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0156.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED