[Bug 1068145] [NEW] Fix for CVE-2012-3867 (puppet) is too restrictive - TLS certificates now break
Adam Stokes
adam.stokes at canonical.com
Thu Oct 18 14:08:11 UTC 2012
Public bug reported:
1. Description of the problem:
On 12.04, for package 'puppet', the fix (contained in version
2.7.11-1ubuntu2.1) for CVE-2012-3867 [1] involves validating TLS
certificate CSR field (Common Name) for “weird” characters. However, the
check is too restrictive and is causing negotiation failure with
legitimately-configured certificates:
===
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Certname "/c=mlkambi root certificate authority" must not contain unprintable or non-ASCII characters
Exiting; failed to retrieve certificate and waitforcert is disabled
===
Here, puppet is choking on the '/' and maybe the '=' character.
The issue has been confirmed in an upstream bug [2].
[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867
[2]: http://projects.puppetlabs.com/issues/15561
2. Ubuntu release, software version, Release Number and Architecture of
the selected components.
Ubuntu 12.04
puppet-2.7.11-1ubuntu2.1
amd64
3. How reproducible is the problem?
100%
5. Known Workaround:
downgrade to puppet-2.7.11-1ubuntu2
** Affects: puppet (Ubuntu)
Importance: High
Status: New
** Changed in: puppet (Ubuntu)
Milestone: ubuntu-12.04.2 => None
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3867
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1068145
Title:
Fix for CVE-2012-3867 (puppet) is too restrictive - TLS certificates
now break
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1068145/+subscriptions
More information about the Ubuntu-server-bugs
mailing list