Your message dated Sun, 14 May 2023 21:19:01 +0200
with message-id <[email protected]>
and subject line Re: Bug#1035674: pre-approval: unblock: puppetserver/7.9.5-2
has caused the Debian Bug report #1035674,
regarding pre-approval: unblock: puppetserver/7.9.5-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1035674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035674
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:puppetserver
I would like to request an unblock to upload puppetserver/7.9.5-2 which
fixes two bugs using targeted fixes.
- #1032241 puppetserver - service unit fails to realize the main
process died
- #1035541 puppetserver: CVE-2023-1894
[ Reason ]
The main reason is to fix the denial-of-service security issue prior to
the release. The second fix has been in the source repository's main
branch for some time, awaiting release.
[ Impact ]
Accepting this release should not have any impact beyond puppetserver
itself.
[ Tests ]
Build and autopkgtest are passing. The service unit fix has been applied
locally on my production system for several weeks.
[ Risks ]
There is a (low) risk that the patches introduce new bugs.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
Thanks!
-- Jérôme
diff -Nru puppetserver-7.9.5/debian/changelog
puppetserver-7.9.5/debian/changelog
--- puppetserver-7.9.5/debian/changelog 2023-02-09 21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/changelog 2023-05-07 11:09:17.000000000 -0400
@@ -1,3 +1,10 @@
+puppetserver (7.9.5-2) unstable; urgency=medium
+
+ * abort service start/reload if mainpid dies (Closes: #1032241)
+ * add patch fixing CVE-2023-1894 (Closes: #1035541)
+
+ -- Jérôme Charaoui <[email protected]> Sun, 07 May 2023 11:09:17 -0400
+
puppetserver (7.9.5-1) unstable; urgency=medium
* New upstream version 7.9.5
diff -Nru
puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
--- puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
1969-12-31 19:00:00.000000000 -0500
+++ puppetserver-7.9.5/debian/patches/0010-Backport-fix-for-CVE-2023-1894.patch
2023-05-07 11:09:17.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?b?SsOpcsO0bWUgQ2hhcmFvdWk=?= <[email protected]>
+Date: Sun, 7 May 2023 11:00:09 -0400
+Subject: Backport fix for CVE-2023-1894
+
+Forwarded: not-needed
+Bug: https://tickets.puppetlabs.com/browse/PE-35786
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541
+Origin:
+ commit,
https://github.com/puppetlabs/puppetserver/commit/9e0239c19bc852b98c1a63fb33998de7eae388dc
+ backport,
https://github.com/puppetlabs/puppetserver/commit/545998b71baf70e35dc60c287f2cb2fc11ef9be2
+---
+ .../puppetserver/certificate_authority.clj | 33 +++++++++++++++++---
+ .../puppetserver/certificate_authority_test.clj | 36 ++++++++++++++--------
+ 2 files changed, 52 insertions(+), 17 deletions(-)
+
+diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+index 46429f4..16ab834 100644
+--- a/src/clj/puppetlabs/puppetserver/certificate_authority.clj
++++ b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
+@@ -787,6 +787,11 @@
+ (utils/subject-alt-names {:dns-name (conj default-alt-names host-name)}
false)
+ (utils/subject-alt-names (update alt-names-list :dns-name conj
host-name) false))))
+
++
++(def pattern-match-dot #"\.")
++(def pattern-starts-with-alphanumeric-or-underscore #"^[\p{Alnum}_].*")
++(def pattern-matches-alphanumeric-with-symbols-string
#"^[\p{Alnum}\-_]*[\p{Alnum}_]$")
++
+ (schema/defn validate-subject!
+ "Validate the CSR or certificate's subject name. The subject name must:
+ * match the hostname specified in the HTTP request (the `subject`
parameter)
+@@ -795,12 +800,16 @@
+ * not contain the wildcard character (*)"
+ [hostname :- schema/Str
+ subject :- schema/Str]
++ (log/debug (i18n/trs "Checking \"{0}\" for validity" subject))
++
+ (when-not (= hostname subject)
++ (log/infof "Rejecting subject \"%s\" because it doesn't match hostname
\"%s\"" subject hostname)
+ (sling/throw+
+ {:kind :hostname-mismatch
+- :msg (i18n/tru "Instance name \"{0}\" does not match requested key
\"{1}\"" subject hostname)}))
++ :msg (format "Instance name \"%s\" does not match requested key
\"%s\"" subject hostname)}))
+
+ (when (contains-uppercase? hostname)
++ (log/info (i18n/tru "Rejecting subject \"{0}\" because all characters
must be lowercase" subject))
+ (sling/throw+
+ {:kind :invalid-subject-name
+ :msg (i18n/tru "Certificate names must be lower case.")}))
+@@ -809,11 +818,25 @@
+ (sling/throw+
+ {:kind :invalid-subject-name
+ :msg (i18n/tru "Subject contains a wildcard, which is not allowed:
{0}" subject)}))
+-
+- (when-not (re-matches
#"^([a-z0-9](?:(?:[a-z0-9\-_]*|(?<!-)\.(?![\-.]))*[a-z0-9]+)?)$" subject)
++
++ (when (str/ends-with? subject "-")
++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it ends with an invalid
character" subject))
+ (sling/throw+
+- {:kind :invalid-subject-name
+- :msg (i18n/tru "Subject hostname format is invalid")})))
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))
++
++ (let [segments (str/split subject pattern-match-dot)]
++ (when-not (re-matches pattern-starts-with-alphanumeric-or-underscore
(first segments))
++ (log/info (i18n/tru "Rejecting subject \"{0}\" as it starts with an
invalid character" subject))
++ (sling/throw+
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))
++
++ (when-not (every? #(re-matches
pattern-matches-alphanumeric-with-symbols-string %) segments)
++ (log/info (i18n/tru "Rejecting subject \"{0}\" because it contains
invalid characters" subject))
++ (sling/throw+
++ {:kind :invalid-subject-name
++ :msg (i18n/tru "Subject hostname format is invalid")}))))
+
+ (schema/defn allowed-extension?
+ "A predicate that answers if an extension is allowed or not.
+diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+index 7df5e75..c8d4c7a 100644
+--- a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
++++ b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
+@@ -1635,19 +1635,31 @@
+ (validate-subject!
+ "" ""))))
+
+- (testing "an exception is thrown when the hostnames contain multiple dots
in a row"
+- (is (thrown+?
+- [:kind :invalid-subject-name
+- :msg "Subject hostname format is invalid"]
+- (validate-subject!
+- "rootca..example.org" "rootca..example.org"))))
++ (testing "subjects that end end in dot are valid"
++ (is (nil?
++ (validate-subject!
++ "rootca." "rootca."))))
+
+- (testing "an exception is thrown when the hostnames end in dot"
+- (is (thrown+?
+- [:kind :invalid-subject-name
+- :msg "Subject hostname format is invalid"]
+- (validate-subject!
+- "rootca." "rootca."))))
++ (testing "subjects that end in an underscore are valid"
++ (is (nil?
++ (validate-subject!
++ "rootca_" "rootca_"))))
++
++ (testing "subjects that start in an underscore are valid"
++ (is (nil?
++ (validate-subject!
++ "_x-puppet._tcp.example.com" "_x-puppet._tcp.example.com"))))
++
++ (testing "single letter segments are valid"
++ (is (nil?
++ (validate-subject!
++ "a.example.com" "a.example.com")))
++ (is (nil?
++ (validate-subject!
++ "_.example.com" "_.example.com")))
++ (is (nil?
++ (validate-subject!
++ "foo.a.example.com" "foo.a.example.com"))))
+
+ (testing "Single word hostnames are allowed"
+ (is (nil?
diff -Nru puppetserver-7.9.5/debian/patches/series
puppetserver-7.9.5/debian/patches/series
--- puppetserver-7.9.5/debian/patches/series 2023-02-09 21:11:26.000000000
-0500
+++ puppetserver-7.9.5/debian/patches/series 2023-05-07 11:09:17.000000000
-0400
@@ -7,3 +7,4 @@
0007-Adapt-JRuby-environment-test-for-Debian.patch
0008-Adjust-defaults-paths.patch
0009-Remove-call-to-symlink-cadir.patch
+0010-Backport-fix-for-CVE-2023-1894.patch
diff -Nru puppetserver-7.9.5/debian/puppetserver.service
puppetserver-7.9.5/debian/puppetserver.service
--- puppetserver-7.9.5/debian/puppetserver.service 2023-02-09
21:11:26.000000000 -0500
+++ puppetserver-7.9.5/debian/puppetserver.service 2023-03-12
11:08:38.000000000 -0400
@@ -15,6 +15,10 @@
UMask=027
+# the startup and reload commands rely on the trapperkeeper
+# restartfile to sync with the process' internal readiness
+# if the mainpid dies while loading, it will abort
+
ExecStartPre=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
ExecStart=/usr/bin/java $JAVA_ARGS \
-Djruby.lib=/usr/share/jruby/lib \
@@ -25,12 +29,11 @@
--bootstrap-config /etc/puppet/puppetserver/services.d \
--restart-file ${RUNTIME_DIRECTORY}/restart \
$TK_ARGS
-ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q
'^1'; do sleep 1; done"
+ExecStartPost=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q
'^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
-ExecReload=sh -c " \
- echo -n 0 > ${RUNTIME_DIRECTORY}/restart; \
- kill -HUP $MAINPID; \
- while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do sleep 1;
done"
+ExecReload=sh -c "echo -n 0 > ${RUNTIME_DIRECTORY}/restart"
+ExecReload=kill -HUP $MAINPID
+ExecReload=sh -c "while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q
'^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done"
SuccessExitStatus=143
--- End Message ---
--- Begin Message ---
Hi,
On 11-05-2023 17:36, Jérôme Charaoui wrote:
Uploaded to unstable. Thanks!
and unblocked and aged.
Paul
PS: while not a regression, the autopkgtest fails on armel. Have you
checked why that is?
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
