23722 – puppet new security issue CVE-2017-10690

Bug 23722 - puppet new security issue CVE-2017-10690

Summary: puppet new security issue CVE-2017-10690

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-17 23:37 CEST by David Walser
Modified:	2019-11-06 13:43 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	puppet-4.2.1-8.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-10-17 23:37:23 CEST

RedHat Satellite 6.4 fixed a security issue in Puppet:
https://access.redhat.com/errata/RHSA-2018:2927
https://bugzilla.redhat.com/show_bug.cgi?id=1566764
https://puppet.com/security/cve/CVE-2017-10690

David Walser 2018-10-17 23:37:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-18 09:26:29 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing our sysadmins, because they use puppet and many of them pushed it before, and some more committers.

CC: (none) => geiger.david68210, guillomovitch, marja11, sysadmin-bugs
Assignee: bugsquad => pkg-bugs

Comment 2 Bruno Cornec 2018-10-30 19:55:47 CET

For cauldron, we have 4.2.1 whereas upstream is at 6.0.3. Can we move to that version or do we have dependencies making it impossible ?

CC: (none) => bruno

Comment 3 Thomas Backlund 2018-10-30 22:04:05 CET

(In reply to Bruno Cornec from comment #2)
> For cauldron, we have 4.2.1 whereas upstream is at 6.0.3. Can we move to
> that version or do we have dependencies making it impossible ?

Go ahead and update it in cauldron...

infra is running on separate branch for now until some sysadmin has time/interest to rework it for newer puppet... maybe when we move to mga7, so then it could be useful to have latest code there...

CC: (none) => tmb

Comment 4 Bruno Cornec 2018-11-04 20:59:36 CET

I've now pushed a version of puppet 6.0.3 into cauldron. Would be great that people check it to see whther I messed up stuff or (hopefully) not !

Status: NEW => ASSIGNED

David Walser 2018-11-04 22:22:00 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 5 Bruno Cornec 2018-11-09 01:38:46 CET

What do we do for mga 6 ? 5.3.4 is the minimum version for the fix, so in any case we're breaking compatibility :-( Should I also push 6.0.3, once the cauldron version has been tested ?

Comment 6 David Walser 2018-11-09 01:51:07 CET

We'll need to patch, new Puppet versions completely break everything according to my coworker who is an expert.

Comment 7 Thomas Backlund 2018-11-09 07:32:51 CET

Yep.

Thats why we also run infra on separate branch as a lot of things changed / broke in newer puppet...

Comment 8 Bruno Cornec 2018-11-10 02:07:16 CET

Ok, so someone who knows ruby will have to take that over, as I won't be able to manage that.

Status: ASSIGNED => NEW

Comment 9 Mike Rambo 2019-11-06 13:43:17 CET

Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo

Note You need to log in before you can comment on or make changes to this bug.