Bug 23722

Summary:	puppet new security issue CVE-2017-10690
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	All Packagers <pkg-bugs>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	bruno, geiger.david68210, guillomovitch, marja11, mhrambo3501, sysadmin-bugs, tmb
Version:	6
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	puppet-4.2.1-8.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2018-10-17 23:37:23 CEST

RedHat Satellite 6.4 fixed a security issue in Puppet:
https://access.redhat.com/errata/RHSA-2018:2927
https://bugzilla.redhat.com/show_bug.cgi?id=1566764
https://puppet.com/security/cve/CVE-2017-10690

David Walser 2018-10-17 23:37:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-18 09:26:29 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing our sysadmins, because they use puppet and many of them pushed it before, and some more committers.

CC: (none) => geiger.david68210, guillomovitch, marja11, sysadmin-bugs
Assignee: bugsquad => pkg-bugs

Comment 2 Bruno Cornec 2018-10-30 19:55:47 CET

For cauldron, we have 4.2.1 whereas upstream is at 6.0.3. Can we move to that version or do we have dependencies making it impossible ?

CC: (none) => bruno

Comment 3 Thomas Backlund 2018-10-30 22:04:05 CET

(In reply to Bruno Cornec from comment #2)
> For cauldron, we have 4.2.1 whereas upstream is at 6.0.3. Can we move to
> that version or do we have dependencies making it impossible ?

Go ahead and update it in cauldron...

infra is running on separate branch for now until some sysadmin has time/interest to rework it for newer puppet... maybe when we move to mga7, so then it could be useful to have latest code there...

CC: (none) => tmb

Comment 4 Bruno Cornec 2018-11-04 20:59:36 CET

I've now pushed a version of puppet 6.0.3 into cauldron. Would be great that people check it to see whther I messed up stuff or (hopefully) not !

Status: NEW => ASSIGNED

David Walser 2018-11-04 22:22:00 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 Bruno Cornec 2018-11-09 01:38:46 CET

What do we do for mga 6 ? 5.3.4 is the minimum version for the fix, so in any case we're breaking compatibility :-( Should I also push 6.0.3, once the cauldron version has been tested ?

Comment 6 David Walser 2018-11-09 01:51:07 CET

We'll need to patch, new Puppet versions completely break everything according to my coworker who is an expert.

Comment 7 Thomas Backlund 2018-11-09 07:32:51 CET

Yep.

Thats why we also run infra on separate branch as a lot of things changed / broke in newer puppet...

Comment 8 Bruno Cornec 2018-11-10 02:07:16 CET

Ok, so someone who knows ruby will have to take that over, as I won't be able to manage that.

Status: ASSIGNED => NEW

Comment 9 Mike Rambo 2019-11-06 13:43:17 CET

Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo