Your message dated Sun, 14 May 2023 21:19:01 +0200 with message-id <2332c8fd-f657-4852-15f1-5940e64ae385@debian.org> and subject line Re: Bug#1035674: pre-approval: unblock: puppetserver/7.9.5-2 has caused the Debian Bug report #1035674, regarding pre-approval: unblock: puppetserver/7.9.5-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1035674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035674 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pre-approval: unblock: puppetserver/7.9.5-2
- From: Jérôme Charaoui <jerome@riseup.net>
- Date: Sun, 7 May 2023 11:47:23 -0400
- Message-id: <[🔎] 1934ed06-a3b4-e342-b2b8-ff14dd7acd21@riseup.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-puppet-devel@alioth-lists.debian.net Control: affects -1 + src:puppetserverI would like to request an unblock to upload puppetserver/7.9.5-2 which fixes two bugs using targeted fixes.- #1032241 puppetserver - service unit fails to realize the main process died- #1035541 puppetserver: CVE-2023-1894 [ Reason ]The main reason is to fix the denial-of-service security issue prior to the release. The second fix has been in the source repository's main branch for some time, awaiting release.[ Impact ]Accepting this release should not have any impact beyond puppetserver itself.[ Tests ]Build and autopkgtest are passing. The service unit fix has been applied locally on my production system for several weeks.[ Risks ] There is a (low) risk that the patches introduce new bugs. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing Thanks! -- Jérômediff -Nru puppetserver-7.9.5/debian/changelog puppetserver-7.9.5/debian/changelog --- puppetserver-7.9.5/debian/changelog 2023-02-09 21:11:26.000000000 -0500 +++ puppetserver-7.9.5/debian/changelog 2023-05-07 11:09:17.000000000 -0400 @@ -1,3 +1,10 @@ +puppetserver (7.9.5-2) unstable; urgency=medium + + * abort service start/reload if mainpid dies (Closes: #1032241) + * add patch fixing CVE-2023-1894 (Closes: #1035541) + + -- Jérôme Charaoui <jerome@riseup.net> Sun, 07 May 2023 11:09:17 -0400 + puppetserver (7.9.5-1) unstable; urgency=medium * New upstream version 7.9.5 diff -Nru puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch --- puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch 1969-12-31 19:00:00.000000000 -0500 +++ puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch 2023-05-07 11:09:17.000000000 -0400 @@ -0,0 +1,127 @@ +From: =?utf-8?b?SsOpcsO0bWUgQ2hhcmFvdWk=?= <jerome@riseup.net> +Date: Sun, 7 May 2023 11:00:09 -0400 +Subject: Backport fix for CVE-2023-1894 + +Forwarded: not-needed +Bug: https://tickets.puppetlabs.com/browse/PE-35786 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541 +Origin: + commit, https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc + backport, https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2 +--- + .../puppetserver/certificate_authority.clj | 33 +++++++++++++++++--- + .../puppetserver/certificate_authority_test.clj | 36 ++++++++++++++-------- + 2 files changed, 52 insertions(+), 17 deletions(-) + +diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj b/src/clj/puppetlabs/puppetserver/certificate_authority.clj +index 46429f4..16ab834 100644 +--- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj ++++ b/src/clj/puppetlabs/puppetserver/certificate_authority.clj +@@ -787,6 +787,11 @@ + (utils/subject-alt-names {:dns-name (conj default-alt-names host-name)} false) + (utils/subject-alt-names (update alt-names-list :dns-name conj host-name) false)))) + ++ ++(def pattern-match-dot #"\.") ++(def pattern-starts-with-alphanumeric-or-underscore #"^[\p{Alnum}_].*") ++(def pattern-matches-alphanumeric-with-symbols-string #"^[\p{Alnum}\-_]*[\p{Alnum}_]$") ++ + (schema/defn validate-subject! + "Validate the CSR or certificate's subject name. The subject name must: + * match the hostname specified in the HTTP request (the `subject` parameter) +@@ -795,12 +800,16 @@ + * not contain the wildcard character (*)" + [hostname :- schema/Str + subject :- schema/Str] ++ (log/debug (i18n/trs "Checking \"{0}\" for validity" subject)) ++ + (when-not (= hostname subject) ++ (log/infof "Rejecting subject \"%s\" because it doesn't match hostname \"%s\"" subject hostname) + (sling/throw+ + {:kind :hostname-mismatch +- :msg (i18n/tru "Instance name \"{0}\" does not match requested key \"{1}\"" subject hostname)})) ++ :msg (format "Instance name \"%s\" does not match requested key \"%s\"" subject hostname)})) + + (when (contains-uppercase? hostname) ++ (log/info (i18n/tru "Rejecting subject \"{0}\" because all characters must be lowercase" subject)) + (sling/throw+ + {:kind :invalid-subject-name + :msg (i18n/tru "Certificate names must be lower case.")})) +@@ -809,11 +818,25 @@ + (sling/throw+ + {:kind :invalid-subject-name + :msg (i18n/tru "Subject contains a wildcard, which is not allowed: {0}" subject)})) +- +- (when-not (re-matches #"^([a-z0-9](?:(?:[a-z0-9\-_]*|(?<!-)\.(?![\-.]))*[a-z0-9]+)?)$" subject) ++ ++ (when (str/ends-with? subject "-") ++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it ends with an invalid character" subject)) + (sling/throw+ +- {:kind :invalid-subject-name +- :msg (i18n/tru "Subject hostname format is invalid")}))) ++ {:kind :invalid-subject-name ++ :msg (i18n/tru "Subject hostname format is invalid")})) ++ ++ (let [segments (str/split subject pattern-match-dot)] ++ (when-not (re-matches pattern-starts-with-alphanumeric-or-underscore (first segments)) ++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it starts with an invalid character" subject)) ++ (sling/throw+ ++ {:kind :invalid-subject-name ++ :msg (i18n/tru "Subject hostname format is invalid")})) ++ ++ (when-not (every? #(re-matches pattern-matches-alphanumeric-with-symbols-string %) segments) ++ (log/info (i18n/tru "Rejecting subject \"{0}\" because it contains invalid characters" subject)) ++ (sling/throw+ ++ {:kind :invalid-subject-name ++ :msg (i18n/tru "Subject hostname format is invalid")})))) + + (schema/defn allowed-extension? + "A predicate that answers if an extension is allowed or not. +diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj +index 7df5e75..c8d4c7a 100644 +--- a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj ++++ b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj +@@ -1635,19 +1635,31 @@ + (validate-subject! + "" "")))) + +- (testing "an exception is thrown when the hostnames contain multiple dots in a row" +- (is (thrown+? +- [:kind :invalid-subject-name +- :msg "Subject hostname format is invalid"] +- (validate-subject! +- "rootca..example.org" "rootca..example.org")))) ++ (testing "subjects that end end in dot are valid" ++ (is (nil? ++ (validate-subject! ++ "rootca." "rootca.")))) + +- (testing "an exception is thrown when the hostnames end in dot" +- (is (thrown+? +- [:kind :invalid-subject-name +- :msg "Subject hostname format is invalid"] +- (validate-subject! +- "rootca." "rootca.")))) ++ (testing "subjects that end in an underscore are valid" ++ (is (nil? ++ (validate-subject! ++ "rootca_" "rootca_")))) ++ ++ (testing "subjects that start in an underscore are valid" ++ (is (nil? ++ (validate-subject! ++ "_x-puppet._tcp.example.com" "_x-puppet._tcp.example.com")))) ++ ++ (testing "single letter segments are valid" ++ (is (nil? ++ (validate-subject! ++ "a.example.com" "a.example.com"))) ++ (is (nil? ++ (validate-subject! ++ "_.example.com" "_.example.com"))) ++ (is (nil? ++ (validate-subject! ++ "foo.a.example.com" "foo.a.example.com")))) + + (testing "Single word hostnames are allowed" + (is (nil? diff -Nru puppetserver-7.9.5/debian/patches/series puppetserver-7.9.5/debian/patches/series --- puppetserver-7.9.5/debian/patches/series 2023-02-09 21:11:26.000000000 -0500 +++ puppetserver-7.9.5/debian/patches/series 2023-05-07 11:09:17.000000000 -0400 @@ -7,3 +7,4 @@ 0007-Adapt-JRuby-environment-test-for-Debian.patch 0008-Adjust-defaults-paths.patch 0009-Remove-call-to-symlink-cadir.patch +0010-Backport-fix-for-CVE-2023-1894.patch diff -Nru puppetserver-7.9.5/debian/puppetserver.service puppetserver-7.9.5/debian/puppetserver.service --- puppetserver-7.9.5/debian/puppetserver.service 2023-02-09 21:11:26.000000000 -0500 +++ puppetserver-7.9.5/debian/puppetserver.service 2023-03-12 11:08:38.000000000 -0400 @@ -15,6 +15,10 @@ UMask=027 +# the startup and reload commands rely on the trapperkeeper +# restartfile to sync with the process' internal readiness +# if the mainpid dies while loading, it will abort + ExecStartPre=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart" ExecStart=/usr/bin/java $JAVA_ARGS \ -Djruby.lib=/usr/share/jruby/lib \ @@ -25,12 +29,11 @@ --bootstrap-config /etc/puppet/puppetserver/services.d \ --restart-file ${RUNTIME_DIRECTORY}/restart \ $TK_ARGS -ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done" +ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done" -ExecReload=sh -c " \ - echo -n 0 > ${RUNTIME_DIRECTORY}/restart; \ - kill -HUP $MAINPID; \ - while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1; done" +ExecReload=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart" +ExecReload=kill -HUP $MAINPID +ExecReload=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done" SuccessExitStatus=143
--- End Message ---
--- Begin Message ---
- To: Jérôme Charaoui <jerome@riseup.net>, 1035674-done@bugs.debian.org
- Subject: Re: Bug#1035674: pre-approval: unblock: puppetserver/7.9.5-2
- From: Paul Gevers <elbrus@debian.org>
- Date: Sun, 14 May 2023 21:19:01 +0200
- Message-id: <2332c8fd-f657-4852-15f1-5940e64ae385@debian.org>
- In-reply-to: <[🔎] 40606a8d-9f01-148b-1445-c1e0a4a70c58@riseup.net>
- References: <[🔎] 1934ed06-a3b4-e342-b2b8-ff14dd7acd21@riseup.net> <[🔎] b2f1ef9c-2c24-9d68-56b1-fcddd5a622a1@debian.org> <[🔎] 1934ed06-a3b4-e342-b2b8-ff14dd7acd21@riseup.net> <[🔎] 40606a8d-9f01-148b-1445-c1e0a4a70c58@riseup.net>
Hi, On 11-05-2023 17:36, Jérôme Charaoui wrote:Uploaded to unstable. Thanks!and unblocked and aged. PaulPS: while not a regression, the autopkgtest fails on armel. Have you checked why that is?Attachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---