*Puppet Windows Community:*
*On Friday, some users experienced changes to permissions when upgrading Windows agents to one of the puppet-agent versions listed below using the Chocolatey package manager. Since Friday, we have been working very hard to resolve this issue. On Friday, all of the affected versions were removed from our download site, soon after the issue was first reported.We currently have a fix merged. We will ship updated packages as soon as they are available. This issue appears to be limited to a very specific set of circumstances that are described below. Please follow the Jira ticket PA-2075 <https://tickets.puppetlabs.com/browse/PA-2075> if you are interested in tracking progress on this issue.Affected versions:*Puppet Agent 1.10.13, 5.3.7, and 5.5.2 These Puppet Agent versions were included in Puppet Enterprise 2016.4.12, 2017.3.7, and 2018.1.1 *Overview of the issue:In specific circumstances, the Puppet Agent 5.5.2 (and 1.10.13, 5.3.7) MSI installers were triggering a permissions change unexpectedly. This issue does not occur when using our recommended method for installing or upgrading <https://puppet.com/docs/pe/2018.1/upgrading/upgrading_agents.html>the Puppet Agent. This issue can be triggered if you attempt to run the MSI installer for an affected version a second time from the command line when that version is already installed. This is typically seen when attempting to manage the puppet-agent package using the Chocolatey package provider. The MSI installer shuts down any running Puppet services, which shuts down Chocolatey as well, leaving the MSI to complete the install. Then when checked in subsequent runs, Chocolatey sees the package installation as pending and removes it, causing it to push through a second run of the package installation and MSI installer, triggering the behavior. For more details, see https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084 <https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084>.Note that the Foreman puppet module <https://github.com/theforeman/puppet-puppet> uses the chocolatey package provider to upgrade puppet-agent by default on Windows. Therefore, it is likely that Foreman users that tried to upgrade puppet-agent on Windows to these affected versions were impacted by this issue.What actions is Puppet taking?We have removed these installers from our public download locations. We have a fix merged, which is currently undergoing testing and will be released as soon as that is completed. How can I fix affected Windows nodes?Due to the nature of the problem, it's difficult for Puppet to give direct advice. If the installation process was aborted early, only some directories would have their owner changed. If the installation process completed, all directories would have their permissions changed.* If you have a support agreement with Puppet and need assistance, please contact us through https://support.puppet.com <https://support.puppet.com>* If you have a support agreement with Microsoft, they may be able to assist you with specific errors in your Windows environment.* We sincerely apologise for the inconvenience. Larissa Lane Product Manager, Puppet On Fri, Jun 8, 2018 at 9:25 PM, Rob Braden <brad...@puppet.com> wrote: > > > > > > > *Dear Puppet and PE customers,We discovered a critical corruptive > permissions issue with the Windows packages for puppet-agent 1.10.13, > 5.3.7, and 5.5.2. We have taken down these builds and the associated Puppet > Enterprise releases that contain them: 2016.4.12, 2017.3.7, and 2018.1.1. > If you have already downloaded these versions, please do not install them > or use them to upgrade any Windows agents. In some instances, the Windows > installer is resetting permissions incorrectly across the node’s > filesystem. It’s not clear that it affects 100% of installs. These releases > included security fixes. If you have already installed or upgraded, the > code in this gist > <https://gist.github.com/Iristyle/471e9c083c51a0bd65e7423f924dea4e> can be > run to remediate an unsafe permissions issue on Windows that was addressed > in the pulled releases (CVE-2018-6513).We are working very hard to ship > updated builds as soon as they are available. Please follow this thread or > the Puppet Agent ticket <https://tickets.puppetlabs.com/browse/PA-2075> for > updates.Our sincere apologies for the inconvenience.Thanks,* > Rob Braden > Puppet Release Team > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Enterprise Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pe-users+unsubscr...@puppet.com. > Visit this group at https://groups.google.com/a/puppet.com/group/pe-users/ > . > -- *Larissa Lane* Product Manager Mobile: +1 503-428-2500 lari...@puppet.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMRqdQ0AsW%3DUYWrD05%3DBJwMTj4ga%3DQD6jxaS7odvgx0Cjf0R7Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
