CVE-2020-7942

Priority
Description
Previously, Puppet operated on a model that a node with a valid certificate
was entitled to all information in the system and that a compromised
certificate allowed access to everything in the infrastructure. When a
node's catalog falls back to the `default` node, the catalog can be
retrieved for a different node by modifying facts for the Puppet run. This
issue can be mitigated by setting `strict_hostname_checking = true` in
`puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the
default behavior for strict_hostname_checking from false to true. It is
recommended that Puppet Open Source and Puppet Enterprise users that are
not upgrading still set strict_hostname_checking to true to ensure secure
behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet
Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x
prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet
5.5.19 Puppet Agent 5.5.19
Notes
ebarrettoOnly affects Puppet 6.x prior to 6.13.0
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (code not present)
More Information

Updated: 2020-09-10 06:38:02 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)