Security update for puppetSUSE Patchsecurity@suse.deSUSE Security TeamSUSE-SU-2020:1057-1Final112020-04-21T15:14:10Zcurrent2020-04-21T15:14:10Z2020-04-21T15:14:10Zcve-database/bin/generate-cvrf.pl2017-02-24T01:00:00ZSecurity update for puppetThis update for puppet fixes the following issues: - CVE-2020-7942: Added a warning for a vulnerable configuration option, which could allow for information disclosure in certain setups. Disabling it my break some setups. (bsc#1167645) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).SUSE-2020-1057,SUSE-SLE-Module-Adv-Systems-Management-12-2020-1057Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)https://www.suse.com/support/update/announcement/2020/suse-su-20201057-1/Link for SUSE-SU-2020:1057-1https://lists.suse.com/pipermail/sle-security-updates/2020-April/006721.htmlE-Mail link for SUSE-SU-2020:1057-1https://www.suse.com/support/security/rating/SUSE Security Ratingshttps://bugzilla.suse.com/1167645SUSE Bug 1167645https://www.suse.com/security/cve/CVE-2020-7942/SUSE CVE CVE-2020-7942 pageSUSE Linux Enterprise Module for Advanced Systems Management 12puppet-3.8.5-15.12.1puppet-server-3.8.5-15.12.1puppet-3.8.5-15.12.1 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12puppet-server-3.8.5-15.12.1 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19CVE-2020-7942SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-3.8.5-15.12.1SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-server-3.8.5-15.12.1moderate4AV:N/AC:L/Au:S/C:P/I:N/A:NTo install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201057-1/https://www.suse.com/security/cve/CVE-2020-7942.htmlCVE-2020-7942https://bugzilla.suse.com/1167645SUSE Bug 1167645