Debian Bug report logs -
#875983
puppet-module-puppetlabs-apache: CVE-2017-2299: Possible TLS trust misconfiguration
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 16 Sep 2017 21:03:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version puppet-module-puppetlabs-apache/1.1.1-1
Fixed in version puppet-module-puppetlabs-apache/3.0.0-1
Done: Sebastien Badia <sbadia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>:
Bug#875983; Package src:puppet-module-puppetlabs-apache.
(Sat, 16 Sep 2017 21:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>.
(Sat, 16 Sep 2017 21:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: puppet-module-puppetlabs-apache
Version: 1.1.1-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for puppet-module-puppetlabs-apache.
CVE-2017-2299[0]:
| Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0
| make it very easy to accidentally misconfigure TLS trust. If you
| specify the `ssl_ca` parameter but do not specify the `ssl_certs_dir`
| parameter, a default will be provided for the `ssl_certs_dir` that
| will trust certificates from any of the system-trusted certificate
| authorities. This did not affect FreeBSD.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2299
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2299
[1] https://puppet.com/security/cve/CVE-2017-2299
[2] https://github.com/puppetlabs/puppetlabs-apache/commit/7bb35c2293c12ce52329a4391fe1f20389efef06
Regards,
Salvatore
Reply sent
to Sebastien Badia <sbadia@debian.org>:
You have taken responsibility.
(Wed, 21 Mar 2018 12:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 21 Mar 2018 12:39:07 GMT) (full text, mbox, link).
Message #10 received at 875983-close@bugs.debian.org (full text, mbox, reply):
Source: puppet-module-puppetlabs-apache
Source-Version: 3.0.0-1
We believe that the bug you reported is fixed in the latest version of
puppet-module-puppetlabs-apache, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Badia <sbadia@debian.org> (supplier of updated puppet-module-puppetlabs-apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Mar 2018 13:17:06 +0100
Source: puppet-module-puppetlabs-apache
Binary: puppet-module-puppetlabs-apache
Architecture: source
Version: 3.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Puppet Package Maintainers <pkg-puppet-devel@lists.alioth.debian.org>
Changed-By: Sebastien Badia <sbadia@debian.org>
Description:
puppet-module-puppetlabs-apache - Puppet module for Apache
Closes: 875983 892683 892862
Changes:
puppet-module-puppetlabs-apache (3.0.0-1) unstable; urgency=medium
.
[ Thomas Bechtold ]
* Remove myself from Uploaders (Closes: #892683)
.
[ Sebastien Badia ]
* New upstream version 3.0.0 (Closes: #875983, #892862)
* d/compat: Bump compat version to 11
* d/control:
+ Bump to Standards-Version 4.1.3 (no changes needed)
+ Use salsa.debian.org in Vcs-* fields
+ Fix description capitalization-error-in-description-synopsis
+ Remove unnecessary-testsuite-autopkgtest-field
+ Added myself as Uploaders
* d/watch: Bump to version 4 and use HTTPS for URI
* d/copyright: Update copyright years and use HTTPS for URI
* d/copyright: Fix copyright globing (lintian)
* d/docs: Add missing NOTICE file (for Apache2 license)
* d/upstream: Added Upstream metadata
* d/examples: Ship examples files
* d/rules: Fix permissions (override_dh_fixperms)
Checksums-Sha1:
4151ea03664c780efb5d6312d86689f6424244f3 2261 puppet-module-puppetlabs-apache_3.0.0-1.dsc
e801d8005d9e7e5c05e2e2914a57660f137c8ebb 288281 puppet-module-puppetlabs-apache_3.0.0.orig.tar.gz
8c62053f8b5c8b10760e9b51e8b460c3632e66c2 3804 puppet-module-puppetlabs-apache_3.0.0-1.debian.tar.xz
9e92b58cba586962bb9af510d23f2e7f3ceaaa93 5518 puppet-module-puppetlabs-apache_3.0.0-1_source.buildinfo
Checksums-Sha256:
c6b6f4863a16b827a83710a9c08c20b0a1150cbd54d05fd21b09ff7a39845cd4 2261 puppet-module-puppetlabs-apache_3.0.0-1.dsc
190d6dc2949688e9545b8ca05cedd124ad23fe792bd8a950b0fe5333f16af4ba 288281 puppet-module-puppetlabs-apache_3.0.0.orig.tar.gz
ed3f47abec8de8bc4271122e7c4aa73c0fe188578e42e9fac1938471295281c7 3804 puppet-module-puppetlabs-apache_3.0.0-1.debian.tar.xz
a37d6739cc9665c06e95719500cd808b8b3172ab4471cd1767d9a21a9c6b95e1 5518 puppet-module-puppetlabs-apache_3.0.0-1_source.buildinfo
Files:
50e21ae45a985fa54c777ebc7f002f1e 2261 admin optional puppet-module-puppetlabs-apache_3.0.0-1.dsc
25f739931e869160bd0cc532a7d1617a 288281 admin optional puppet-module-puppetlabs-apache_3.0.0.orig.tar.gz
18da04590a5b6efd81e645549ca2ac1e 3804 admin optional puppet-module-puppetlabs-apache_3.0.0-1.debian.tar.xz
f158b46636d7cd3b4b6a933e864c3a21 5518 admin optional puppet-module-puppetlabs-apache_3.0.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfkPprL9yerPPCIUzhxbORhSkUtgFAlqyTfoACgkQhxbORhSk
UthKbRAAkXDzfLlZcd4akvOSXDZMP95+225J2kMSFnk+dJOf8tAgAz9pC7to5/MV
ZEBv7K2gnGEKa/vHypVM1qm2aCDiHOExxy0FKU7zitZVOUHQ5qilx47jtyQ3Z/iG
QoLmRFzMoPJfzn3zo1kw2HuMbhCqzw5ltjIjbrqwBMxkO8rWvwYyV5PCAZgHRxYJ
wJ17tPQw1XMsPopMFma6KkJup3ktN/dvTxYfDSHDSPGHHmHhnBNAnYsW8tsbuGGV
KD5wa4Tsc1fgZw+Vy2kfapSucAV/Amngs7CNvF4ZkWw4mh5U3SXb8ZPrYUWAHO8+
0JJ3HJkB9cfnHJ32Cg6NZ5EO9Roeu3rQOWEtzd02kACjMSyC4/ypWjnlgiUFwBkZ
A7LhMl+lfF4k+kQz7KwEiHw+w2I+VGCwLTbBVlMVJ+TF1D5ieOBwgvQgEfHeJQnk
lYLL829nr21d7xiaEYvgkZg31ZNYjWG8WC4+YQ8I1POMO5DjbSkNWM6VUx3uoA39
IR/mrvooD69MOUWGXm8moSS6F8y1+4a2PurJpU8vx38KkNxp6VsYc/ees3BuPhJb
H7avsTjq7P190X1qynVLfb/6KwullN2CFecIHv8duiF13k7nM9W4zKXaBmXvXs5n
pCsVe3t7mJKUb62zhWU2BQNVqafj6rUVNoJt6h4Ib8b8yS9fPuw=
=o8Ba
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 10 May 2018 07:32:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:21:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon