← Back to branch summary

~ubuntu-branches/ubuntu/quantal/puppet/quantal-security

~ubuntu-branches/ubuntu/quantal/puppet/quantal-security

« back to all changes in this revision

Viewing changes to .pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request/ca_spec.rb

Committer: Bazaar Package Importer
Author(s): Marc Deslauriers
Date: 2011-10-24 15:05:12 UTC
Revision ID: james.westby@ubuntu.com-20111024150512-yxqwfdp6hcs6of5l

Tags: 2.7.1-1ubuntu3.2

* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

files added:
.pc/CVE-2011-3872.patch

.pc/CVE-2011-3872.patch/acceptance

.pc/CVE-2011-3872.patch/acceptance/tests

.pc/CVE-2011-3872.patch/acceptance/tests/ticket_5477_master_not_dectect_sitepp.rb

.pc/CVE-2011-3872.patch/acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb

.pc/CVE-2011-3872.patch/lib

.pc/CVE-2011-3872.patch/lib/puppet

.pc/CVE-2011-3872.patch/lib/puppet/application

.pc/CVE-2011-3872.patch/lib/puppet/application/cert.rb

.pc/CVE-2011-3872.patch/lib/puppet/application/kick.rb

.pc/CVE-2011-3872.patch/lib/puppet/defaults.rb

.pc/CVE-2011-3872.patch/lib/puppet/face

.pc/CVE-2011-3872.patch/lib/puppet/face/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/network

.pc/CVE-2011-3872.patch/lib/puppet/network/client

.pc/CVE-2011-3872.patch/lib/puppet/network/client.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/file.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/proxy.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/report.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/runner.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/client/status.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/master.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/handler/runner.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/http_server

.pc/CVE-2011-3872.patch/lib/puppet/network/http_server/webrick.rb

.pc/CVE-2011-3872.patch/lib/puppet/network/xmlrpc

.pc/CVE-2011-3872.patch/lib/puppet/network/xmlrpc/client.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_authority/interface.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_factory.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/certificate_request.rb

.pc/CVE-2011-3872.patch/lib/puppet/ssl/host.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/ca.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/certificate.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/inventory.rb

.pc/CVE-2011-3872.patch/lib/puppet/sslcertificates/support.rb

.pc/CVE-2011-3872.patch/lib/puppet/type

.pc/CVE-2011-3872.patch/lib/puppet/type/file.rb

.pc/CVE-2011-3872.patch/lib/puppet/util

.pc/CVE-2011-3872.patch/lib/puppet/util/monkey_patches.rb

.pc/CVE-2011-3872.patch/lib/puppet/util/settings.rb

.pc/CVE-2011-3872.patch/spec

.pc/CVE-2011-3872.patch/spec/integration

.pc/CVE-2011-3872.patch/spec/integration/defaults_spec.rb

.pc/CVE-2011-3872.patch/spec/integration/network

.pc/CVE-2011-3872.patch/spec/integration/network/client_spec.rb

.pc/CVE-2011-3872.patch/spec/integration/network/handler_spec.rb

.pc/CVE-2011-3872.patch/spec/spec_helper.rb

.pc/CVE-2011-3872.patch/spec/unit

.pc/CVE-2011-3872.patch/spec/unit/face

.pc/CVE-2011-3872.patch/spec/unit/face/certificate_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/indirector

.pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request

.pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network

.pc/CVE-2011-3872.patch/spec/unit/network/client_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network/handler

.pc/CVE-2011-3872.patch/spec/unit/network/handler/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/network/xmlrpc

.pc/CVE-2011-3872.patch/spec/unit/network/xmlrpc/client_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority/interface_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_authority_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_factory_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_request_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/certificate_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/ssl/host_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/sslcertificates

.pc/CVE-2011-3872.patch/spec/unit/sslcertificates/ca_spec.rb

.pc/CVE-2011-3872.patch/spec/unit/util

.pc/CVE-2011-3872.patch/spec/unit/util/settings_spec.rb

.pc/CVE-2011-3872.patch/test

.pc/CVE-2011-3872.patch/test/certmgr

.pc/CVE-2011-3872.patch/test/certmgr/certmgr.rb

.pc/CVE-2011-3872.patch/test/certmgr/inventory.rb

.pc/CVE-2011-3872.patch/test/certmgr/support.rb

.pc/CVE-2011-3872.patch/test/language

.pc/CVE-2011-3872.patch/test/language/functions.rb

.pc/CVE-2011-3872.patch/test/language/snippets.rb

.pc/CVE-2011-3872.patch/test/lib

.pc/CVE-2011-3872.patch/test/lib/puppettest

.pc/CVE-2011-3872.patch/test/lib/puppettest/exetest.rb

.pc/CVE-2011-3872.patch/test/lib/puppettest/servertest.rb

.pc/CVE-2011-3872.patch/test/network

.pc/CVE-2011-3872.patch/test/network/client

.pc/CVE-2011-3872.patch/test/network/client/ca.rb

.pc/CVE-2011-3872.patch/test/network/client/dipper.rb

.pc/CVE-2011-3872.patch/test/network/handler

.pc/CVE-2011-3872.patch/test/network/handler/ca.rb

.pc/CVE-2011-3872.patch/test/network/server

.pc/CVE-2011-3872.patch/test/network/server/mongrel_test.rb

.pc/CVE-2011-3872.patch/test/network/server/webrick.rb

.pc/CVE-2011-3872.patch/test/network/xmlrpc

.pc/CVE-2011-3872.patch/test/network/xmlrpc/client.rb

.pc/CVE-2011-3872.patch/test/rails

.pc/CVE-2011-3872.patch/test/rails/rails.rb

.pc/CVE-2011-3872.patch/test/ral

.pc/CVE-2011-3872.patch/test/ral/type

.pc/CVE-2011-3872.patch/test/ral/type/filesources.rb

debian/patches/CVE-2011-3872.patch

spec/unit/network/handler/ca_spec.rb

files removed:
lib/puppet/network/client

lib/puppet/network/client.rb

lib/puppet/network/client/ca.rb

lib/puppet/network/client/file.rb

lib/puppet/network/client/proxy.rb

lib/puppet/network/client/report.rb

lib/puppet/network/client/runner.rb

lib/puppet/network/client/status.rb

lib/puppet/network/http_server/webrick.rb

lib/puppet/network/xmlrpc/client.rb

lib/puppet/sslcertificates

lib/puppet/sslcertificates.rb

lib/puppet/sslcertificates/ca.rb

lib/puppet/sslcertificates/certificate.rb

lib/puppet/sslcertificates/inventory.rb

lib/puppet/sslcertificates/support.rb

spec/integration/network/client_spec.rb

spec/unit/network/client_spec.rb

spec/unit/network/xmlrpc

spec/unit/network/xmlrpc/client_spec.rb

spec/unit/sslcertificates

spec/unit/sslcertificates/ca_spec.rb

test/certmgr

test/certmgr/certmgr.rb

test/certmgr/inventory.rb

test/certmgr/support.rb

test/network/client

test/network/client/ca.rb

test/network/client/dipper.rb

test/network/handler/ca.rb

test/network/server

test/network/server/mongrel_test.rb

test/network/server/webrick.rb

test/network/xmlrpc/client.rb

files modified:
.pc/applied-patches

acceptance/tests/ticket_5477_master_not_dectect_sitepp.rb

acceptance/tests/ticket_7117_broke_env_criteria_authconf.rb

debian/changelog

debian/patches/series

lib/puppet/application/cert.rb

lib/puppet/application/kick.rb

lib/puppet/defaults.rb

lib/puppet/face/certificate.rb

lib/puppet/network/handler/ca.rb

lib/puppet/network/handler/master.rb

lib/puppet/network/handler/runner.rb

lib/puppet/ssl/certificate.rb

lib/puppet/ssl/certificate_authority.rb

lib/puppet/ssl/certificate_authority/interface.rb

lib/puppet/ssl/certificate_factory.rb

lib/puppet/ssl/certificate_request.rb

lib/puppet/ssl/host.rb

lib/puppet/type/file.rb

lib/puppet/util/monkey_patches.rb

lib/puppet/util/settings.rb

spec/integration/defaults_spec.rb

spec/integration/network/handler_spec.rb

spec/spec_helper.rb

spec/unit/face/certificate_spec.rb

spec/unit/indirector/certificate_request/ca_spec.rb

spec/unit/ssl/certificate_authority/interface_spec.rb

spec/unit/ssl/certificate_authority_spec.rb

spec/unit/ssl/certificate_factory_spec.rb

spec/unit/ssl/certificate_request_spec.rb

spec/unit/ssl/certificate_spec.rb

spec/unit/ssl/host_spec.rb

spec/unit/util/settings_spec.rb

test/language/functions.rb

test/language/snippets.rb

test/lib/puppettest/exetest.rb

test/lib/puppettest/servertest.rb

test/rails/rails.rb

test/ral/type/filesources.rb

Show diffs side-by-side

added added

removed removed

.pc/CVE-2011-3872.patch/spec/unit/indirector/certificate_request/ca_spec.rb

1

#!/usr/bin/env rspec

2

#

3

# Created by Luke Kanies on 2008-3-7.

4

# Copyright (c) 2007. All rights reserved.

5

6

require 'spec_helper'

7

8

require 'puppet/ssl/host'

9

require 'puppet/sslcertificates'

10

require 'puppet/sslcertificates/ca'

11

require 'puppet/indirector/certificate_request/ca'

12

13

describe Puppet::SSL::CertificateRequest::Ca do

14

include PuppetSpec::Files

15

16

before :each do

17

Puppet[:ssldir] = tmpdir('ssl')

18

19

Puppet::SSL::Host.ca_location = :local

20

Puppet[:localcacert] = Puppet[:cacert]

21

Puppet::SSLCertificates::CA.new.mkrootcert

22

23

@ca = Puppet::SSL::CertificateAuthority.new

24

end

25

26

after :all do

27

Puppet::SSL::Host.ca_location = :none

28

end

29

30

it "should have documentation" do

31

Puppet::SSL::CertificateRequest::Ca.doc.should be_instance_of(String)

32

end

33

34

it "should use the :csrdir as the collection directory" do

35

Puppet.settings.expects(:value).with(:csrdir).returns "/request/dir"

36

Puppet::SSL::CertificateRequest::Ca.collection_directory.should == "/request/dir"

37

end

38

39

it "should overwrite the previous certificate request if allow_duplicate_certs is true" do

40

Puppet[:allow_duplicate_certs] = true

41

host = Puppet::SSL::Host.new("foo")

42

host.generate_certificate_request

43

@ca.sign(host.name)

44

45

Puppet::SSL::Host.indirection.find("foo").generate_certificate_request

46

47

Puppet::SSL::Certificate.indirection.find("foo").name.should == "foo"

48

Puppet::SSL::CertificateRequest.indirection.find("foo").name.should == "foo"

49

Puppet::SSL::Host.indirection.find("foo").state.should == "requested"

50

end

51

52

it "should reject a new certificate request if allow_duplicate_certs is false" do

53

Puppet[:allow_duplicate_certs] = false

54

host = Puppet::SSL::Host.new("bar")

55

host.generate_certificate_request

56

@ca.sign(host.name)

57

58

expect { Puppet::SSL::Host.indirection.find("bar").generate_certificate_request }.should raise_error(/ignoring certificate request/)

59

60

Puppet::SSL::Certificate.indirection.find("bar").name.should == "bar"

61

Puppet::SSL::CertificateRequest.indirection.find("bar").should be_nil

62

Puppet::SSL::Host.indirection.find("bar").state.should == "signed"

63

end

64

end

Older »