Package: puppet Severity: critical Tags: security Justification: Potentially opens up a new security hole
Hi!
In the old days, users wanting the puppet binaries but not the puppet
daemon would install the puppet-common but not the puppet package [0].
This changed when puppet 4.5 was uploaded to Debian, now the puppet
package contained the binaries and the puppet-agent package contained
the service [1]. This transition was done properly, as the new service
packages would not be installed by default.
However, now somebody decided, that it's a good idea to drop the
puppet-agent package and move the service file back to the puppet
package [1]. This is bad, very, very bad. Here's why:
1. As of today, there is no apparently no package shipping only the
binaries but not the service files.
2. I have quite a few systems where I occasionally run puppet manually,
but which should never run puppet automatically.
3. Those systems began to look for a puppet master at the default
server address "puppet" recently as the new package version got
installed.
4. As a result, anybody with control over DNS could have responded and
potentially taken over those systems.
Please understand that your change made my and potentially other
people's system vulnerable without even telling them about it. I urge
you strongly to revert this change!
Best regards
Alexander Kurtz
[0] https://packages.debian.org/source/jessie/puppet
[1] https://tracker.debian.org/news/771535
[2] https://tracker.debian.org/news/833773
signature.asc
Description: This is a digitally signed message part
