Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-4101

Update date gem in puppet AIO packages

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • puppet-agent 7.12.0
    • None
    • None
    • None
    • Needs Assessment
    • Needs Assessment

    Description

      Hi,
      I'm not aware of a documented patching/update plan for ruby+gems in the AIO packages. CVE-2021-41817 (https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/) came out today and describes a denial of service vulnerability in the date gem. Puppet 7.12 ships that vulnerable version at the moment:

      root@puppet ~ # /opt/puppetlabs/puppet/bin/gem list date
      		 
       
      		 
      *** LOCAL GEMS ***
      		 
       
      		 
      date (default: 3.0.0)
      		 
      root@puppet ~ # dnf info puppet-agent
      		 
      Last metadata expiration check: 1:38:23 ago on Mon 15 Nov 2021 11:15:54 AM CET.
      		 
      Installed Packages
      		 
      Name         : puppet-agent
      		 
      Version      : 7.12.1
      		 
      Release      : 1.el8
      		 
      Architecture : x86_64
      		 
      Size         : 108 M
      		 
      Source       : puppet-agent-7.12.1-1.el8.src.rpm
      		 
      Repository   : @System
      		 
      From repo    : puppet7
      		 
      Summary      : The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera.
      		 
      URL          : https://www.puppetlabs.com
      		 
      License      : See components
      		 
      Description  : The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera.
      		 
                   :
      		 
                   : Contains the following components:
      		 
                   : cleanup
      		 
                   : facter 4.2.5
      		 
                   : hiera 3.7.0
      		 
                   : module-puppetlabs-augeas_core 1.1.2
      		 
                   : module-puppetlabs-cron_core 1.0.5
      		 
                   : module-puppetlabs-host_core 1.0.3
      		 
                   : module-puppetlabs-mount_core 1.0.4
      		 
                   : module-puppetlabs-scheduled_task 1.0.0
      		 
                   : module-puppetlabs-selinux_core 1.1.0
      		 
                   : module-puppetlabs-sshkeys_core 2.2.0
      		 
                   : module-puppetlabs-yumrepo_core 1.0.7
      		 
                   : module-puppetlabs-zfs_core 1.2.0
      		 
                   : module-puppetlabs-zone_core 1.0.3
      		 
                   : pl-ruby-patch
      		 
                   : puppet 7.12.1
      		 
                   : puppet-resource_api v1.8.14
      		 
                   : puppet-runtime 202109220
      		 
                   : pxp-agent 202109220
      		 
                   : shellpath 2015-09-18
      		 
                   : wrapper-script
      		 
       
      		 
      root@puppet ~ #

      Are the plans to update the package soon / will an updated date gem be available in the next regular Puppet AIO release?

      This probably effects Puppet 6 as well.

      Attachments

        Issue Links

          is blocked by

          Task - A task that needs to be done. PA-4130 bump ruby to 2.7.5

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Task - A task that needs to be done. PA-4131 bump ruby date gem on ruby 2.5.9 to address CVE-2021-41817

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              bastelfreak Tim Meusel
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support