On Apr 16, 2015, at 11:40 PM, Michael Stahnke <stah...@puppetlabs.com> wrote: > In particular, isn’t Puppet vulnerable to this problem? > https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ > > Only if you're using a 3rd party CA , which 99.9% of users do not do and > using wildcards.
So I haven’t the time to setup a test for this, but my reading of the exploit seemed to indicate that problems with trust within an entirely Puppet-managed CA were possible. Also, my clients tend to be large enterprises, where wildcards are de facto and 3rd party CAs are common. The same large enterprises that can’t deploy something with known CVEs of this nature against it. So this exploit is more likely to affect you, the larger you are. -- Jo Rhett +1 (415) 999-1798 Skype: jorhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/D9C70799-196C-42B5-BBB5-2D2B5D44C19E%40netconsonance.com. For more options, visit https://groups.google.com/d/optout.
