Hi all, we've published https://puppet.com/security/cve/CVE-2022-2394 today, you should update bolt to version 3.24.0 which was released late last month: https://github.com/puppetlabs/bolt/blob/main/CHANGELOG.md#bolt-3240-2022-06-29

This message was deleted.

Hey y'all. Just wanted to let you know that the improved CVE listing page has launched. You'll see a big yellow button linking to it on https://www.puppet.com/security now.

@John O'Connor has left the channel

@boats has left the channel

@Igar Volan has left the channel

@Yorokobi has left the channel

This message was deleted.

Thanks.

Hello Team, We received a curl vulnerability (CVE-2022-43552) for Puppet open source 7.21. Is there any patch release to fix the issue to downgrade curl version below 7.69 or above 8.4.0?

the latest 8.x solved the curl issue, I think. I seem to remember discussions going on here last week.

rpm -ivh puppet-agent-8.3.1-1.el7.x86_64.rpm warning: puppet-agent-8.3.1-1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 9e61ef26: NOKEY Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:puppet-agent-8.3.1-1.el7 ################################# [100%] [root@xxxxx tmp]# /opt/puppetlabs/puppet/bin/curl --version curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/3.0.11 zlib/1.2.11 Release-Date: 2023-02-20 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smtp smtps telnet tftp Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz SSL TLS-SRP UnixSockets I still see curl version is 7.88.1 and recommended fix is curl v8.4.0

curl 7.88.1 is not vulnerable to CVE-2022-43552: https://nvd.nist.gov/vuln/detail/CVE-2022-43552. It is only known to affect below 7.87.0. There were recent curl CVEs CVE-2023-38545 and CVE-2023-38546. 38545 was patched in the most recent releases (7.27.0 and 8.3.1), although the curl package will still report as 7.88.1: https://www.puppet.com/docs/puppet/7/release_notes_puppet#security_puppet_x-7-27-0-PA-5848

38546 will be patched in a future release, probably early 1Q2024.

ok. will perform a scan check. Thanks for the response.

@spp do you know if puppet/puppet-agent was using OpenSSL SOCK5 proxy?

(I mean, I could see we have released fixes for CVE-2023-38545 in 7.27.0 but wanted to know if we were impacted)

This message was deleted.

This message was deleted.

Hey! Does anyone have a strategy for renewing the hiera eyaml keypair? Do I really have to re-encrypt all the keys by hand?

I mean, have one public and one private key on my Puppet server. I just generate new keys with the same name and move them into place. Should be a snap unless you created a ton of keys to all sorts of data points, then “yeah”, I think you’ll manually have to do that, but fortunately it’s only at the server.

https://github.com/advisories/GHSA-24rp-q3w6-vc56 I don't know Clojure, but it runs on jvm. Does anyone know if pgjdbc driver is in use?

@rnelson0 has left the channel

Hello, i've sent email to security@perforce.com about potential issue with Puppet Forge, in case of questions feel free to reach out to me

@CVQuesty has left the channel

Was there a change which prevents Puppet from writing out SSH keys to disk? I've got a situation that I've tested back and forth and sideways, and ANY content other than an OpenSSH private key ed25519 will write out to disk, but any OpenSSH key will write an empty file.