Puppet 2.7.4 is available. This release of Puppet and includes a security fix for CVE-2011-3848.
Puppet 2.7.4 is an enhancement + security release of Puppet on the 2.7.x branch. Due to the security patches included, it is recommended anybody using the 2.7.x series update to 2.7.4. The significant highlights on this release are outlined below. At a high level, there are lots of Windows fixes/features, some storedconfigs indirection, a security patch, and more. This is 2.7.4rc3 + the one security patch for CVE-2011-3848. This release is available for download at: http://downloads.puppetlabs.com/puppet/ Release Notes have been updated: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.4 See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 2.7.4 http://projects.puppetlabs.com/projects/puppet RPM's are available at http://yum.puppetlabs.com/el Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Documentation is available at: http://docs.puppetlabs.com/index.html 2.7.4 Release Notes === ## CVE-2011-3848 Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet. In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice. Huge thanks to Kristian Erik Hermansen <kristian.herman...@gmail.com> for the responsible disclosure, and useful analysis, around this defect. ## Allow cron vars to have leading whitespace Fix #9440 Patch applied from Jeremy Thornhill. This allows whitespace to appear before cron variables. Previously, whitespace before cron variables would trigger a parse failure, and the crontab, except for the puppet managed portion, would get removed. This addresses that issue. It also includes a test for this issue, added into the tests directory, which seems to be where the crontab tests live. ## Write out a list of resources that are managed by puppet agent Feature #8667 Similar to how the Puppet classes are written out each catalog apply, the list of resources is now being written out to a text file that can be easily used by tools like MCollective. This allows tools that do ad-hoc management of resources to know if they're changing a resource that puppet manages, and adjust behavior accordingly. ## Fix value validation on options Fix #7114 Support single options that legally include a comma like "from=host1,host2". We now basically allow either "word" or "key=value" as options. That's also what the parsedfile provider currently supports when parsing options. ## GigabitEthernet/TenGigabitEthernet are uncorrectly parsed Fix #7984 The interface name abbreviation to canonical name doesn't return the correct name for GigabitEthernet and doesn't support TenGigabitEthernet interfaces. ## Allow macauthorization provider to work on OS X Lion 10.7 Fix #9143 We've flipped around the confine check so we explicitly exclude the versions of OS X where this provider won't work, rather than working from a whitelist. ## Move complex collect expression error into terminus. Fix #9051 When the StoreConfig system was extracted from core to a set of termini, most of the rules about permitted syntax were pushed down into the same place, to allow them to also be replaced. One set of restrictions were missed, the limitation that complex search criteria (like and, or, or parenthetical expressions) were not permitted, and remained in our parser. Now, they live in the terminus, and we enforce them only there. This ensures that StoreConfigs can be replaced with a back-end that supports complex collection criteria without other changes to the Puppet core. ## Don't rely on error message to detect UAC capable platform Fix #8662 The call to Win32::Security.elevated_privileges? can raise an exception when running on a pre-Vista computer or if the process fails to open its process token. Previously, we were looking at the exception message to determine which case it was. However, Windows 2003 and 2003 R2 return different error codes (and therefore messages) for the pre-Vista case. In 2003, it returns error code 1 (Incorrect function), but in 2003 R2 it returns 87 (The parameter is incorrect). Since SUIDManager was only looking for Incorrect function, SUIDManager.root? would always return false on 2003 R2. Ideally, we could just check if the GetTokenInformation Win32 API was available, and only call it on platforms where it makes sense. But this API is available on all recent version of Windows. What's new in Vista and up is the TokenElevation value of the TOKEN_INFORMATION_CLASS enumeration. This commit changes the suidmanager to only call GetTokenInformation when the major kernel version, as reported by facter, is 6.0 or greater, which corresponds to Vista/2008. See: http://msdn.microsoft.com/en-us/library/ms724833(v=vs.85).aspx ## Add MSI package provider for use with Windows Feature #8412 This provider takes some of its inspiration from the appdmg provider used with OS X. It will maintain a list of packages that have been installed and removed from the system via the provider in a directory under Puppet's vardir called db/package/msi. These state files will be named the same as the resource name with '.yml' appended. The state files will be a hash containing the resource name, the install options used, and the source location of the MSI. Any properties that a user wishes to provide to the MSI can be specified as key/value pairs in the install_options parameter. For example: package { 'mysql': provider => msi, source => 'E:\mysql.msi', ensure => installed, install_options => { 'INSTALLDIR' => 'C:\mysql' }, } The MSI properties specified by install_options will be appropriately quoted when invoking msiexec.exe to install the MSI. Because the source parameter is integral to the functionality of being able to install and uninstall MSI packages, we also override validate_source to make sure that the source parameter is always set, and is not an empty string when using this provider. ## Add a Windows exec provider Feature #8140 This provider inherits from the Puppet::Provider::Exec class, and is very similar to the posix provider in its behavior. This provider doesn't have the ability to run as a particular user or group and will fail if that is attempted, but does support setting all other parameters, as well as autorequires. Rather than the shell provider inheriting from the posix provider, they both now inherit from a common Puppet::Provider::Exec class. This new base class and inheritance structure will allow the forthcoming windows provider to also inherit from that class, rather than from the unsuitable posix provider. Also, now that Puppet::Util.execute supports commands as strings in addition to arrays, the command to execute is passed to Puppet::Util::SUIDManager.run_and_capture as a string, rather than a string wrapped in an array. This ensures we will never improperly quote a command with arguments provided as a single string. ## Default config dir to %PROGRAMDATA% on Windows Fix #8660 The puppet install.rb script now defaults the config directory to %PROGRAMDATA%\PuppetLabs\puppet\etc on Windows. This is more inline with Windows best-practices, as this directory is used to store application data across all users. The PROGRAMDATA environment variable also takes into account alternate system drives, by using the SYSTEMDRIVE environment variable. Note that the Dir::COMMON_APPDATA constant is so named because it corresponds to the CSIDL_COMMON_APPDATA constant, which on 2000, XP, and 2003 is %ALLUSERSPROFILE%\Application Data, and on Vista, Win7 and 2008 is %SYSTEMDRIVE%\ProgramData. This commit also updates puppet's default run_mode var and conf directories when running as "root" to match the install script, and fixes the spec test, which was looking in the Dir::WINDOWS directory. Full changelog: 2.7.4 === 41f23f1 Update CHANGLEOG for 2.7.4 47135fb Resist directory traversal attacks through indirections. 9dd18cf Updated CHANGELOG for 2.7.4rc3 fe92f20 (#9440) Allow cron vars to have leading whitespace da69637 Fix failing spec for resource file 7a39ca7 (#8667) Write out a list of resources that are managed by puppet agent bc40516 Fix order dependent spec failure in exec specs a20551f Updated CHANGELOG for 2.7.4rc2 d59a0b3 Update certificate_spec.rb test to include spec_helper f325b40 Fix #7984 - GigabitEthernet/TenGigabitEthernet are uncorrectly parsed 6cc15c2 Fix #7983 - Cisco uptime facts doesn't always work 41302e9 Fixes #9143, allows macauthorization provider to work on OS X Lion 10.7 5a3f24d Updated CHANGELOG for 2.7.4rc1 04519a7 Revert "Merge pull request #100 from glarizza/tickets/2.7.x/9192_launchd_fix" 769f2b2 Revert "Merge pull request #99 from nigelkersten/tickets/2.7.x/9143-make-macauthorization-work-on-lion" ff13d8d Add comment explaining helper method 40f64e9 Add has_macosx_plist_overrides? method 670d30c Fix ActiveRecord handling of symbols in query interpolation. 51b0c00 Fixes #9143, allows macauthorization provider to work on OS X Lion 10.7 a04051a (#9051) Move complex collect expression error into terminus. f7e526b (#8413) Only try to catch Process::Error if it's defined 2c96286 Debug order-dependent test failures in CI / ActiveRecord. 38070d5 Don't toggle storeconfigs back and forth. cf60243 One character typo, entire code path broken... 40dc39c More protection against accidentally using sqlite3 f898749 Save and restore indirector configuration around all tests. e3073ac (#9051) More storeconfigs test cleanup. 51461de (#9051) Protect SQLite tests from running without gem. bb0380f (#8662) Don't rely on error message to detect UAC capable platform 2ab5634 (#8413) Properly clean up stale pidfile on Windows cc958e1 (#8412) Add MSI package provider for use with Windows 878ea25 (#8412) Add optional type-level validation of the source parameter dad075d Correct grammar in parameter comment 4168a4c Clean up formatting & whitespace in Puppet::Type fd1d4b9 (#9051) de-ActiveRecord-ify Collection expressions. 78e33cc (#9051) Port query tests into the indirection. 65580e7 (#9051) Implement the `resource` terminus for StoreConfigs. 89aaa51 (#9051) Make generic tagging imported resource origins. d5b295d (#9051) Whitespace cleanup for puppet/parser/collector 611c466 (#9051) Dead code elimination in the compiler terminus. 6e0ff6a (#9051) Get the compiler out of the ActiveRecord business. 4d51680 (#9051) Implement the StoreConfigs indirection itself. d0357c8 (#9051) Add configuration around StoreConfigs indirection. 8700682 (#9051) de-ActiveRecord-ify Collection expressions. 4274e15 (#9174) Provide a helpful error when missing a gem and installing on Windows f53db3d Clean up formatting & whitespace in package type & providers 6dff78c (#8489) Use File::PATH_SEPARATOR in path attribute of service type 64dbd3b (#8489) Use File::PATH_SEPARATOR for path attribute of exec type 3e40207 (#8489) Use File::PATH_SEPARATOR rather than ':' for factpath setting c469294 (#8489) Use File::PATH_SEPARATOR rather than ':' for args to puppet doc a2ced0f Properly determine file deletion in puppet/unit/util_spec.rb bc5f1e3 (#9051) Port query tests into the indirection. fa78e99 (#9051) Implement the `resource` terminus for StoreConfigs. f6b91be (#8140) Add an exec provider for Windows 18c322a (#8410) Factor out a base class for exec providers cb53870 (#8410) Cleanup and fix Windows support in Puppet::Util.execute 39a582b (#8410) Use absolute_path? for Puppet::Parameter::Path validation fb6df31 (#8410) Add a helper to Puppet::Util to determine absoluteness of a path c2a432a maint: Fix trailing whitespace in lib/puppet/util.rb fab2fe7 (#9051) Make generic tagging imported resource origins. 5300368 (#9051) Whitespace cleanup for puppet/parser/collector 6420ede (#9051) Dead code elimination in the compiler terminus. 543f331 (#9051) Get the compiler out of the ActiveRecord business. 4b55e72 (#9051) Implement the StoreConfigs indirection itself. 0f207a8 (#8662) Don't manage internal file permissions on Windows 47058ab (#8662) Skip user and group resources when applying settings on Windows 2ac8790 (#8662) Fix Puppet.features.root? on Windows ccdd043 (#8662) Break circular feature dependency 4b29f5f (#9051) Add configuration around StoreConfigs indirection. 9f39cc4 maint: Stub spec test so directory is not created unnecessarily 66fb531 Don't use non-1.8.5-compatible methods 'Object#tap' and 'Dir.mktmpdir' 2091cbe maint: Fix build break due to recent merge from 2.7.x to master 2681ca5 Fix posix exec provider spec failures on Windows 3812fc3 (#5495) Remove dead Windows-specific code from posix exec provider b6ca78c Stop trying to make config directories in Windows specs 4237cb1 (#8272) Add missing tests for Windows service provider methods. a32c8be (#8409) Add a default group provider for Windows 4f7170a (#8408) Add a default user provider for Windows f19a0ea (#8408/8409) Add a Windows ADSI helper module 6919d2c (#8663) Exclude exec timeout test on Windows 8009209 (#8663) Exclude git rev-parse HEAD spec test on Windows a0013e4 Check for the appropriate permissions in File type tests on Windows 58c7dac Remove :fails_on_windows from file type tests that no longer fail on Windows 9f2a7b9 Disable file bucket diffing tests on Windows 1e59b26 Always put a slash between the checksum and path in filebucket URLs 37f87b7 Treat Windows absolute paths as absolute paths 4a6d617 Consolidate test logic determining if a registered file is in the temp directory 8c88918 Clarify logic and error messages when initializing Puppet::FileBucket::File 2efaa85 Disable symlink related file tests on Windows 7259e1e (#8644) Host provider on Windows 328eaa2 (#8660) Fix destdir option on Windows 088c7ac (#8660) Default config dir to %PROGRAMDATA% on Windows 925af95 (#8663) Disable spec tests for unsupported functionality on Windows 04965d7 (#8663) Drive letters are not valid absolute paths on Windows f4598ec (#8663) Update the run_mode spec test on Windows to match the code 68bdc74 (#8663) The ssh_authorized_key type is not supported on Windows 9fbb0be (#8663) Reenable spec tests on Windows that now pass c930152 (#8392) Disable master related tests on Windows 28b1658 (#8272) Allow disabled Windows services to be started c69baf6 (#8272) Refactor specs for Windows service provider 881c385 (#8272) Use symbols instead of booleans for enabled property on Windows 9c575bd (#8272) Fixup logging in Windows service provider ad29bf6 Fix issue with forward and backslashes in Windows paths eaa7d92 Disable spec tests for unsupported functionality on Windows 945bf74 Update certificate spec tests for Windows 3be4d79 Add basic service provider for Windows d9a693d Regexp escape substituted commands in Windows wrapper script 49d1e9d Rework Puppet::Util::Cacher to only expire using TTLs 9849d56 Remove use of Puppet::Util::Cacher in Puppet::SSL::Host 028b795 Remove dead uses of Puppet::Util::Cacher from autoloader 7c4dbeb Remove Puppet::Util::Cacher use from Puppet::Indirector::Indirection d6e0b71 Remove caching from the catalog, types, and parameters d49dd9e Remove cached_attrs from Puppet::Type::File 546e0f9 Remove Puppet::Util::Cacher usage from Puppet::Util::Settings b6b5498 Remove Util::Cacher usage from SSL::CertificateAuthority 777b2f2 Remove unused require 'puppet/util/cacher' from Network::HttpPool 41425bd Remove use of Util::Cacher from FileServing::Mount::File 8d53090 Remove use of Util::Cacher in FileServing::Configuration 3093047 Remove Puppet::Network::HttpPool keep_alive handling 57d6217 Fix spec test failure on 1.9.2 5d3a40f Maint: Fix miscellaneous tests ce0c258 Maint: Don't test for extended signals on Windows bdc9790 Maint: Tagged spec tests that are known to fail on Windows c26f3e5 Fix tests with "relative" paths on Windows bfeb337 (#8268) Require windows drive letters in absolute file paths fe81dec (#8489) Consistently use File::PATH_SEPARATOR a437812 (#8356) Specify setting type for color af2446a (#8268) Fix resource harness spec tests d9c3b0f (#8356) Color defaults to false on Windows 9ebe500 Disable the master on Windows instead of blowing up with failed resources 7467a08 (#7581) Provide more detailed error message when missing gems on Windows 654de01 Maint: Correct docs for filebucket type and file's backup parameter b623826 Maint: Fix line wrapping in create_resources function fd7332b maint: remove inaccurate copyright and license statements. a8b27de Maint: Improve create_resources function's doc string 5f22985 maint: Fix order dependent test failure 7ac1093 (#8037) Fix incorrect example in Augeas type reference 35c1006 (#9039) Update Augeas commands documentation 2bf6721 Reset indirector state after configurer tests. e9b558d Fix posix exec provider spec failures on Windows b28bcb0 (#5495) Remove dead Windows-specific code from posix exec provider 2297899 Do not leak indirector state from apply tests b52fbf4 (#8612) Clarify the function of the example for exec's "creates" parameter bb224dd (#8770) Don't fail to set supplementary groups when changing user to root 2a0de12 (#8770) Always fully drop privileges when changing user 00c4b25 (#8662) Migrate suidmanager test case to rspec d7c9c76 (#8740) Do not enumerate files in the root directory. 39da99d (#4411) Explain that runinterval = 0 does not mean "never run" 4146a33 Maint: Fix missing option text in puppet agent and arrange options alphabetically 0e00473 (#3553) Explain that cron resources require time attributes 769d432 (#8302) Improve documentation of exec providers 76d45d2 (#7853) Clarify and complete docs for the tagmail report processor d60852b Maint: Mention that audit metaparameter will accept "all" 51d989e Maint: Adjust wording for file type's content parameter a110d83 Maint: Fix poor documentation for versioncmp function. 746a374 maint: Fix case sensitive require 310bd55 maint: Add inspect app options to help 3a19628 maint: Fix inspect help 344aef9 (#8808) Fail Augeas resource when unable to save changes c209f62 Add document outlining preferred contribution methods 839e7c9 (#7999) Add some basic tests of the systemd provider 1cae354 (#7999) Add a service provider that manages systemd services natively 3b152e4 (#7114) Fix value validation on options aa1b36f (#7114) Add tests for option property -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
