Update on Puppet Agent and Puppet Enterprise releases: Thank you for your patience as we have been working around the clock to fix the Puppet Agent and Puppet Enterprise releases that we had to take down from our downloads site on Friday last week. The releases were taken down immediately after discovering a critical issue affecting Windows users who attempted to do an in-place upgrade of Puppet Agent using Chocolatey, due to an issue in the MSI package.
We have resolved the issue and have both Puppet Agent and PE releases tagged and ready for release tomorrow morning, US Pacific Daylight Time. A huge thank you to members of the Puppet community who helped us pinpoint the problem so quickly, along with the specific set of conditions that triggered the issue. If you are unclear on the supported options for upgrading Puppet Agent, please refer to our documentation <https://puppet.com/docs/pe/2018.1/upgrading/upgrading_agents.html>. Larissa Lane Product Manager, Puppet On Mon, Jun 11, 2018 at 6:30 PM, Larissa Lane <lari...@puppet.com> wrote: > *Puppet Windows Community:* > > > > > *On Friday, some users experienced changes to permissions when upgrading > Windows agents to one of the puppet-agent versions listed below using the > Chocolatey package manager. Since Friday, we have been working very hard to > resolve this issue. On Friday, all of the affected versions were removed > from our download site, soon after the issue was first reported.We > currently have a fix merged. We will ship updated packages as soon as they > are available. This issue appears to be limited to a very specific set of > circumstances that are described below. Please follow the Jira ticket > PA-2075 <https://tickets.puppetlabs.com/browse/PA-2075> if you are > interested in tracking progress on this issue.Affected versions:*Puppet > Agent 1.10.13, 5.3.7, and 5.5.2 > These Puppet Agent versions were included in Puppet Enterprise 2016.4.12, > 2017.3.7, and 2018.1.1 > > > > > > > > > > > *Overview of the issue:In specific circumstances, the Puppet Agent 5.5.2 > (and 1.10.13, 5.3.7) MSI installers were triggering a permissions change > unexpectedly. This issue does not occur when using our recommended method > for installing or upgrading > <https://puppet.com/docs/pe/2018.1/upgrading/upgrading_agents.html>the > Puppet Agent. This issue can be triggered if you attempt to run the MSI > installer for an affected version a second time from the command line when > that version is already installed. This is typically seen when attempting > to manage the puppet-agent package using the Chocolatey package provider. > The MSI installer shuts down any running Puppet services, which shuts down > Chocolatey as well, leaving the MSI to complete the install. Then when > checked in subsequent runs, Chocolatey sees the package installation as > pending and removes it, causing it to push through a second run of the > package installation and MSI installer, triggering the behavior. For more > details, see > https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084 > <https://tickets.puppetlabs.com/browse/PA-2075?focusedCommentId=566084&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-566084>.Note > that the Foreman puppet module > <https://github.com/theforeman/puppet-puppet> uses the chocolatey package > provider to upgrade puppet-agent by default on Windows. Therefore, it is > likely that Foreman users that tried to upgrade puppet-agent on Windows to > these affected versions were impacted by this issue.What actions is Puppet > taking?We have removed these installers from our public download locations. > We have a fix merged, which is currently undergoing testing and will be > released as soon as that is completed. How can I fix affected Windows > nodes?Due to the nature of the problem, it's difficult for Puppet to give > direct advice. If the installation process was aborted early, only some > directories would have their owner changed. If the installation process > completed, all directories would have their permissions changed.* If you > have a support agreement with Puppet and need assistance, please contact us > through https://support.puppet.com <https://support.puppet.com>* If you > have a support agreement with Microsoft, they may be able to assist you > with specific errors in your Windows environment.* > We sincerely apologise for the inconvenience. > > Larissa Lane > Product Manager, Puppet > > On Fri, Jun 8, 2018 at 9:25 PM, Rob Braden <brad...@puppet.com> wrote: > >> >> >> >> >> >> >> *Dear Puppet and PE customers,We discovered a critical corruptive >> permissions issue with the Windows packages for puppet-agent 1.10.13, >> 5.3.7, and 5.5.2. We have taken down these builds and the associated Puppet >> Enterprise releases that contain them: 2016.4.12, 2017.3.7, and 2018.1.1. >> If you have already downloaded these versions, please do not install them >> or use them to upgrade any Windows agents. In some instances, the Windows >> installer is resetting permissions incorrectly across the node’s >> filesystem. It’s not clear that it affects 100% of installs. These releases >> included security fixes. If you have already installed or upgraded, the >> code in this gist >> <https://gist.github.com/Iristyle/471e9c083c51a0bd65e7423f924dea4e> can be >> run to remediate an unsafe permissions issue on Windows that was addressed >> in the pulled releases (CVE-2018-6513).We are working very hard to ship >> updated builds as soon as they are available. Please follow this thread or >> the Puppet Agent ticket <https://tickets.puppetlabs.com/browse/PA-2075> for >> updates.Our sincere apologies for the inconvenience.Thanks,* >> Rob Braden >> Puppet Release Team >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Enterprise Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to pe-users+unsubscr...@puppet.com. >> Visit this group at https://groups.google.com/a/pu >> ppet.com/group/pe-users/. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMRqdQ2cpj%3D02n1EbdSaDvJnw%2BBWTn4BCZYqjtHDTT8LQ4vPfw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
