Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10238

Change strict_hostname_checking to true

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 7.0.0, PUP 5.5.19, PUP 6.13.0
    • Component/s: None
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Team:
      Froyo
    • CVE-ID:
      CVE-2020-7942
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      the decision was to change the default for strict_hostname_checking from false to true in the next release and to remove the option entirely (and only allow strict hostname checking) in Puppet 7. This would include an advisory that users not upgrading should change strict_hostname_checking to true.

      For those who want the previous insecure behavior for the remainder of the 6 series they may disable strict_hostname_checking. However they are encouraged to switch to the preferred way to have that functionality in 7 now. For those users that want to classify their nodes using the CN but with partial segment matching they should switch their node declarations to use regexes. For those users that want to include hostname, fqdn, or domain facts in their classification schemes they should do so explicitly in a default node block. (I can create example manifests if desired)

      The rationale for this, is that partial segment matching could also be considered insecure (don't have a rating for it though), there are more explicit ways to match partial CNs or facts in a site.pp (see above workarounds), and other options don't allow for users to opt out of the security fixes (should they be relying on this behavior) in the short term.

       

      Because this is a documented option (though inherently insecure) I will do this work with a PR to the open source repo (not a private fork), but w/o reference to the CVE. I will open this PR towards the end of the normal release cycle as well.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support