Re: [Pkg-puppet-devel] Wheezy update of puppet?
On 23:44 Mon 22 May , Apollon Oikonomopoulos wrote:
> On 22:53 Sun 21 May , Ola Lundqvist wrote:
> > Dear maintainer(s),
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of puppet:
> > https://security-tracker.debian.org/tracker/CVE-2017-2295
> > Would you like to take care of this yourself?
> > If yes, please follow the workflow we have defined here:
> > https://wiki.debian.org/LTS/Development
> > If that workflow is a burden to you, feel free to just prepare an
> > updated source package and send it to email@example.com
> > (via a debdiff, or with an URL pointing to the source package,
> > or even with a pointer to your packaging repository), and the members
> > of the LTS team will take care of the rest. Indicate clearly whether you
> > have tested the updated package or not.
> > If you don't want to take care of this update, it's not a problem, we
> > will do our best with your package. Just let us know whether you would
> > like to review and/or test the updated package before it gets released.
> Thanks for bringing the issue to our attention!
> I'll address the issue soon for Sid/Stretch and Jessie, and will try to
> fix Wheezy as well. Unfortunately, it looks like the fix for wheezy
> might not be trivial; we need to check if the agent will still be able
> to send facts to the server, as PSON is not the default format in Puppet
So, from my understanding the version in Wheezy cannot be fixed: the 2.7
agents only use YAML to send out facts and upstream's fix is to simply
not accept anything other than PSON. Whitelisting YAML defeats the
purpose, as it's YAML's deserialization of untrusted data that leads to
remote code execution.
Any ideas welcome here, but I seriously doubt there's much we can do to
be completely safe, other than encourage people to move to 3.7 from
wheezy-backports. Puppet 2.7 has been EOL for way too long anyway.