Resolution: Won't Fix
Affects Version/s: PUP 3.7.1
Fix Version/s: None
As a long-time Puppet user, I have a fairly bad /etc/apache2/sites-available/puppetmaster file. It accepts SSLv3, which we all know is a very bad idea (SSLv3 POODLE – I need not say more, I guess).
The /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl file installed on my Puppet master seems to be a lot more secure.
They way that these files are handled on Debian makes it needlessly hard to get the improvements into production, though.
I think it would be better if /etc/apache2/sites-available/puppetmaster were
re-created from apache2.site.conf.tmpl each time Puppet was upgraded. That way my installation would be kept secure when you fix new issues in the future.
I understand that you may not want to make such changes because the user may have edited the file in sites-available. But at least as long as it hasn't been touched by the user, it should be upgraded.
Failing that, it would be nicer if the installation created a file (say /usr/share/puppetmaster-passenger/apache2.site.conf) with all the edits that the postinst script does, so that it is easier for an admin to just copy that file to sites-available if he wants to get the new cipher settings.
The release notes for Puppet 3.7.0 should also have explained what an administrator needs to do to get the new secure settings that
I don't like that my system (which runs Puppet 3.7.1) is vulnerable to POODLE, even though a fresh install of Puppet 3.7.1 would have been safe.
My environment: Debian 7.6 (wheezy), using the main apt repo from http://apt.puppetlabs.com, with puppetmaster-passenger.