On 2017-05-24 12:51:54, Apollon Oikonomopoulos wrote: > On 23:44 Mon 22 May , Apollon Oikonomopoulos wrote: >> On 22:53 Sun 21 May , Ola Lundqvist wrote: >> > Dear maintainer(s), >> > >> > The Debian LTS team would like to fix the security issues which are >> > currently open in the Wheezy version of puppet: >> > https://security-tracker.debian.org/tracker/CVE-2017-2295 >> > >> > Would you like to take care of this yourself? >> > >> > If yes, please follow the workflow we have defined here: >> > https://wiki.debian.org/LTS/Development >> > >> > If that workflow is a burden to you, feel free to just prepare an >> > updated source package and send it to debian-lts@lists.debian.org >> > (via a debdiff, or with an URL pointing to the source package, >> > or even with a pointer to your packaging repository), and the members >> > of the LTS team will take care of the rest. Indicate clearly whether you >> > have tested the updated package or not. >> > >> > If you don't want to take care of this update, it's not a problem, we >> > will do our best with your package. Just let us know whether you would >> > like to review and/or test the updated package before it gets released. >> >> Thanks for bringing the issue to our attention! >> >> I'll address the issue soon for Sid/Stretch and Jessie, and will try to >> fix Wheezy as well. Unfortunately, it looks like the fix for wheezy >> might not be trivial; we need to check if the agent will still be able >> to send facts to the server, as PSON is not the default format in Puppet >> 2.7. > > So, from my understanding the version in Wheezy cannot be fixed: the 2.7 > agents only use YAML to send out facts and upstream's fix is to simply > not accept anything other than PSON. Whitelisting YAML defeats the > purpose, as it's YAML's deserialization of untrusted data that leads to > remote code execution.
Are you sure of this? From what I can tell agents haven't been sending YAML in a long time. If I understand things correctly, facts are sent in a format defined by the `preferred_serialization_format`, which currently (in wheezy) defaults to `pson`. It has been that way since upstream 1a89455499 (2009-06-03) which seems to have been shipped in puppet-0.24.5-rc4. My assertion, at this point, is that clients send facts in PSON, not YAML, and it's safe to disable other formats. This means, of course, that *older* clients (!) will break, but I think that's a fair move to do at this point. I will work on a package update based on that assumption. > Any ideas welcome here, but I seriously doubt there's much we can do to > be completely safe, other than encourage people to move to 3.7 from > wheezy-backports. Puppet 2.7 has been EOL for way too long anyway. That's true. Unfortunately, porting from 2.7 to 3.7 is non-trivial, especially for folks that have large manifest collections. So many of our users are stuck there. We should try and support them as much as we can. A. -- Non qui parum habet, sed qui plus cupit, pauper est. It is not the man who has too little, but the man who craves more, that is poor. - Lucius Annaeus Seneca (65 AD)
