*Puppet Windows Community:*



*On Friday, some users experienced changes to permissions when upgrading
Windows agents to one of the puppet-agent versions listed below using the
Chocolatey package manager. Since Friday, we have been working very hard to
resolve this issue.  On Friday, all of the affected versions were removed
from our download site, soon after the issue was first reported.We
currently have a fix merged. We will ship updated packages as soon as they
are available. This issue appears to be limited to a very specific set of
circumstances that are described below. Please follow the Jira ticket
PA-2075 <https://tickets.puppetlabs.com/browse/PA-2075> if you are
interested in tracking progress on this issue.Affected versions:*Puppet
Agent 1.10.13, 5.3.7, and 5.5.2
These Puppet Agent versions were included in Puppet Enterprise 2016.4.12,
2017.3.7, and 2018.1.1










*Overview of the issue:In specific circumstances, the Puppet Agent 5.5.2
(and 1.10.13, 5.3.7) MSI installers were triggering a permissions change
unexpectedly. This issue does not occur when using our recommended method
for installing or upgrading
<https://puppet.com/docs/pe/2018.1/upgrading/upgrading_agents.html>the
Puppet Agent. This issue can be triggered if you attempt to run the MSI
installer for an affected version a second time from the command line when
that version is already installed. This is typically seen when attempting
to manage the puppet-agent package using the Chocolatey package provider.
The MSI installer shuts down any running Puppet services, which shuts down
Chocolatey as well, leaving the MSI to complete the install. Then when
checked in subsequent runs, Chocolatey sees the package installation as
pending and removes it, causing it to push through a second run of the
package installation and MSI installer, triggering the behavior. For more
details, see
https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084
<https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084>.Note
that the Foreman puppet module
<https://github.com/theforeman/puppet-puppet> uses the chocolatey package
provider to upgrade puppet-agent by default on Windows. Therefore, it is
likely that Foreman users that tried to upgrade puppet-agent on Windows to
these affected versions were impacted by this issue.What actions is Puppet
taking?We have removed these installers from our public download locations.
We have a fix merged, which is currently undergoing testing and will be
released as soon as that is completed.  How can I fix affected Windows
nodes?Due to the nature of the problem, it's difficult for Puppet to give
direct advice. If the installation process was aborted early, only some
directories would have their owner changed. If the installation process
completed, all directories would have their permissions changed.* If you
have a support agreement with Puppet and need assistance, please contact us
through https://support.puppet.com <https://support.puppet.com>* If you
have a support agreement with Microsoft, they may be able to assist you
with specific errors in your Windows environment.*
We sincerely apologise for the inconvenience.

Larissa Lane
Product Manager, Puppet

On Fri, Jun 8, 2018 at 9:25 PM, Rob Braden <brad...@puppet.com> wrote:

>
>
>
>
>
>
> *Dear Puppet and PE customers,We discovered a critical corruptive
> permissions issue with the Windows packages for puppet-agent 1.10.13,
> 5.3.7, and 5.5.2. We have taken down these builds and the associated Puppet
> Enterprise releases that contain them: 2016.4.12, 2017.3.7, and 2018.1.1.
> If you have already downloaded these versions, please do not install them
> or use them to upgrade any Windows agents. In some instances, the Windows
> installer is resetting permissions incorrectly across the node’s
> filesystem. It’s not clear that it affects 100% of installs. These releases
> included security fixes. If you have already installed or upgraded, the
> code in this gist
> <https://gist.github.com/Iristyle/471e9c083c51a0bd65e7423f924dea4e> can be
> run to remediate an unsafe permissions issue on Windows that was addressed
> in the pulled releases (CVE-2018-6513).We are working very hard to ship
> updated builds as soon as they are available. Please follow this thread or
> the Puppet Agent ticket <https://tickets.puppetlabs.com/browse/PA-2075> for
> updates.Our sincere apologies for the inconvenience.Thanks,*
> Rob Braden
> Puppet Release Team
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Enterprise Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pe-users+unsubscr...@puppet.com.
> Visit this group at https://groups.google.com/a/puppet.com/group/pe-users/
> .
>



-- 
*Larissa Lane*
Product Manager
Mobile: +1 503-428-2500
lari...@puppet.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAMRqdQ0AsW%3DUYWrD05%3DBJwMTj4ga%3DQD6jxaS7odvgx0Cjf0R7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to