Merge remote-tracking branch 'cve/cve/0.24.x/cve-2011-3872' into 0.24.x

2011-11-03 15:02:03 -07:00 · 2011-11-03 15:02:03 -07:00 · d94edd883e
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@ -168,9 +168,21 @@ module Puppet
            to the fully qualified domain name.",
            :call_on_define => true, # Call our hook with the default value, so we're always downcased
            :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }},
-        :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
-            If it's anything other than an empty string, it will be used as an alias in the created
-            certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
+        :certdnsnames => {:default => '',
+            :desc => "The DNS names on the Server certificate as a
+            colon-separated list.  If it's anything other than an empty string,
+            it will be used as an alias in the created certificate.  By
+            default, only the server gets an alias set up, and only for
+            'puppet'.",
+            :hook => proc { |value|
+                msg = <<WARN
+The `certdnsnames` setting is no longer functional, after CVE-2011-3872. We
+ignore the value completely. See http://puppetlabs.com/security/cve/3872 for
+more information"
+WARN
+                puts msg if value and value != ''
+            }
+        },
        :certdir => ["$ssldir/certs", "The certificate directory."],
        :publickeydir => ["$ssldir/public_keys", "The public key directory."],
        :privatekeydir => { :default => "$ssldir/private_keys",
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@ -61,16 +61,7 @@ module Puppet::SSLCertificates
            key_usage = %w{cRLSign keyCertSign}
        when :server:
            basic_constraint = "CA:FALSE"
-            dnsnames = Puppet[:certdnsnames]
            name = hash[:name].to_s.sub(%r{/CN=},'')
-            if dnsnames != ""
-                dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
-                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-            elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server
-                subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias
-                subject_alt_name << 'DNS:' + name # Add the fqdn as an alias
-                subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias
-            end
            key_usage = %w{digitalSignature keyEncipherment}
            ext_key_usage = %w{serverAuth clientAuth emailProtection}
        when :ocsp: