Source: puppetserver X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for puppetserver. CVE-2023-1894[0]: | A Regular Expression Denial of Service (ReDoS) issue was discovered in | Puppet Server 7.9.2 certificate validation. An issue related to | specifically crafted certificate names significantly slowed down | server operations. This was fixed in 7.11.0: https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos But given that in the freeze moving to a new release isn't possible and looking at the repo I think we could just as well backport these (the underlying PR is https://github.com/puppetlabs/puppetserver/pull/2700): https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2 (7.11.0) https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc (7.11.0) The bug report is https://tickets.puppetlabs.com/browse/PE-35786, but it's not accessible (at least to me) Cheers, Moritz
