Security update for puppet SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1057-1 Final 1 1 2020-04-21T15:14:10Z current 2020-04-21T15:14:10Z 2020-04-21T15:14:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for puppet This update for puppet fixes the following issues: - CVE-2020-7942: Added a warning for a vulnerable configuration option, which could allow for information disclosure in certain setups. Disabling it my break some setups. (bsc#1167645) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1057,SUSE-SLE-Module-Adv-Systems-Management-12-2020-1057 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201057-1/ Link for SUSE-SU-2020:1057-1 https://lists.suse.com/pipermail/sle-security-updates/2020-April/006721.html E-Mail link for SUSE-SU-2020:1057-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167645 SUSE Bug 1167645 https://www.suse.com/security/cve/CVE-2020-7942/ SUSE CVE CVE-2020-7942 page SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet-3.8.5-15.12.1 puppet-server-3.8.5-15.12.1 puppet-3.8.5-15.12.1 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet-server-3.8.5-15.12.1 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19 CVE-2020-7942 SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-3.8.5-15.12.1 SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-server-3.8.5-15.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201057-1/ https://www.suse.com/security/cve/CVE-2020-7942.html CVE-2020-7942 https://bugzilla.suse.com/1167645 SUSE Bug 1167645