Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10238

Change strict_hostname_checking to true



    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • PUP 7.0.0, PUP 5.5.19, PUP 6.13.0
    • None
    • None
    • Froyo
    • CVE-2020-7942
    • Needs Assessment
    • Needs Assessment


      the decision was to change the default for strict_hostname_checking from false to true in the next release and to remove the option entirely (and only allow strict hostname checking) in Puppet 7. This would include an advisory that users not upgrading should change strict_hostname_checking to true.

      For those who want the previous insecure behavior for the remainder of the 6 series they may disable strict_hostname_checking. However they are encouraged to switch to the preferred way to have that functionality in 7 now. For those users that want to classify their nodes using the CN but with partial segment matching they should switch their node declarations to use regexes. For those users that want to include hostname, fqdn, or domain facts in their classification schemes they should do so explicitly in a default node block. (I can create example manifests if desired)

      The rationale for this, is that partial segment matching could also be considered insecure (don't have a rating for it though), there are more explicit ways to match partial CNs or facts in a site.pp (see above workarounds), and other options don't allow for users to opt out of the security fixes (should they be relying on this behavior) in the short term.


      Because this is a documented option (though inherently insecure) I will do this work with a PR to the open source repo (not a private fork), but w/o reference to the CVE. I will open this PR towards the end of the normal release cycle as well.


        Issue Links



              justin Justin Stoller
              josh Josh Cooper
              0 Vote for this issue
              2 Start watching this issue



                Zendesk Support