diff --git a/.github/workflows/component_diff_check.yaml b/.github/workflows/component_diff_check.yaml index 8c4a2d70d..32169893a 100644 --- a/.github/workflows/component_diff_check.yaml +++ b/.github/workflows/component_diff_check.yaml @@ -35,7 +35,7 @@ jobs: cat ./output/text - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: artifacts path: output/ diff --git a/configs/components/_base-rubygem.rb b/configs/components/_base-rubygem.rb index 0d16ecbe6..bf1c31335 100644 --- a/configs/components/_base-rubygem.rb +++ b/configs/components/_base-rubygem.rb @@ -41,9 +41,11 @@ # in its component file rubygem-, before the instance_eval of this file. gem_install_options = settings["#{pkg.get_name}_gem_install_options".to_sym] remove_older_versions = settings["#{pkg.get_name}_remove_older_versions".to_sym] +# Set a default gem_uninstall +gem_uninstall = settings[:gem_uninstall] || "#{settings[:host_gem]} uninstall --all --ignore-dependencies" pkg.install do steps = [] - steps << "#{settings[:gem_uninstall]} #{name}" if remove_older_versions + steps << "#{gem_uninstall} #{name}" if remove_older_versions steps << if gem_install_options.nil? "#{settings[:gem_install]} #{name}-#{version}.gem" else diff --git a/configs/components/curl.rb b/configs/components/curl.rb index 95b3ecf1a..9b83c1008 100644 --- a/configs/components/curl.rb +++ b/configs/components/curl.rb @@ -6,8 +6,8 @@ case version when '7.88.1' pkg.sha256sum 'cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7' - when '8.9.1' - pkg.sha256sum '291124a007ee5111997825940b3876b3048f7d31e73e9caa681b80fe48b2dcd5' + when '8.10.1' + pkg.sha256sum 'd15ebab765d793e2e96db090f0e172d127859d78ca6f6391d7eafecfd894bbc0' else raise "curl version #{version} has not been configured; Cannot continue." end @@ -49,10 +49,11 @@ pkg.apply_patch 'resources/patches/curl/CVE-2024-2004.patch' pkg.apply_patch 'resources/patches/curl/CVE-2024-2398.patch' pkg.apply_patch 'resources/patches/curl/CVE-2024-7264.patch' + pkg.apply_patch 'resources/patches/curl/CVE-2024-8096.patch' end configure_options = [] - configure_options << "--with-ssl=#{settings[:prefix]}" + configure_options << "--with-ssl=#{settings[:prefix]} --without-libpsl" # OpenSSL version 3.0 & up no longer ships by default the insecure algorithms # that curl's ntlm module depends on (md4 & des). diff --git a/configs/components/libxml2.rb b/configs/components/libxml2.rb index 57f8f60db..497c27b28 100644 --- a/configs/components/libxml2.rb +++ b/configs/components/libxml2.rb @@ -1,6 +1,6 @@ component "libxml2" do |pkg, settings, platform| - pkg.version '2.12.6' - pkg.sha256sum '889c593a881a3db5fdd96cc9318c87df34eb648edfc458272ad46fd607353fbb' + pkg.version '2.13.4' + pkg.sha256sum '65d042e1c8010243e617efb02afda20b85c2160acdbfbcb5b26b80cec6515650' libxml2_version_y = pkg.get_version.gsub(/(\d+)\.(\d+)\.(\d+)/, '\1.\2') pkg.url "https://download.gnome.org/sources/libxml2/#{libxml2_version_y}/libxml2-#{pkg.get_version}.tar.xz" diff --git a/configs/components/libxslt.rb b/configs/components/libxslt.rb index 47fc061be..991d42b61 100644 --- a/configs/components/libxslt.rb +++ b/configs/components/libxslt.rb @@ -1,6 +1,6 @@ component "libxslt" do |pkg, settings, platform| - pkg.version '1.1.39' - pkg.sha256sum '2a20ad621148339b0759c4d4e96719362dee64c9a096dbba625ba053846349f0' + pkg.version '1.1.42' + pkg.sha256sum '85ca62cac0d41fc77d3f6033da9df6fd73d20ea2fc18b0a3609ffb4110e1baeb' libxslt_version_y = pkg.get_version.gsub(/(\d+)\.(\d+)\.(\d+)/, '\1.\2') pkg.url "https://download.gnome.org/sources/libxslt/#{libxslt_version_y}/libxslt-#{pkg.get_version}.tar.xz" diff --git a/configs/components/openssl-3.0.rb b/configs/components/openssl-3.0.rb index 27d0a2ede..24b9ac78f 100644 --- a/configs/components/openssl-3.0.rb +++ b/configs/components/openssl-3.0.rb @@ -1,7 +1,7 @@ component 'openssl' do |pkg, settings, platform| - pkg.version '3.0.14' - pkg.sha256sum 'eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca' - pkg.url "https://openssl.org/source/openssl-#{pkg.get_version}.tar.gz" + pkg.version '3.0.15' + pkg.sha256sum '23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533' + pkg.url "https://github.com/openssl/openssl/releases/download/openssl-#{pkg.get_version}/openssl-#{pkg.get_version}.tar.gz" pkg.mirror "#{settings[:buildsources_url]}/openssl-#{pkg.get_version}.tar.gz" ############################# @@ -121,9 +121,6 @@ 'no-whirlpool' ] - # Remove this in 3.0.15 or later - pkg.apply_patch 'resources/patches/openssl/CVE-2024-5535.patch' - if settings[:use_legacy_openssl_algos] pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch' else diff --git a/configs/components/rubygem-faraday-follow_redirects.rb b/configs/components/rubygem-faraday-follow_redirects.rb new file mode 100644 index 000000000..8abdb6f22 --- /dev/null +++ b/configs/components/rubygem-faraday-follow_redirects.rb @@ -0,0 +1,6 @@ +component 'rubygem-faraday-follow_redirects' do |pkg, settings, platform| + pkg.version '0.3.0' + pkg.md5sum '75fa678fa40b54a94e51efc1600a6461' + + instance_eval File.read('configs/components/_base-rubygem.rb') +end diff --git a/configs/components/rubygem-faraday-net_http.rb b/configs/components/rubygem-faraday-net_http.rb index 793b7a645..b1738bd2d 100644 --- a/configs/components/rubygem-faraday-net_http.rb +++ b/configs/components/rubygem-faraday-net_http.rb @@ -1,6 +1,16 @@ component 'rubygem-faraday-net_http' do |pkg, settings, platform| - pkg.version '1.0.2' - pkg.md5sum 'b8e560b8cd7c008a7fd1686143428337' + version = settings[:rubygem_faraday_net_http_version] || '1.0.2' + + case version + when '1.0.2' + pkg.version '1.0.2' + pkg.md5sum 'b8e560b8cd7c008a7fd1686143428337' + when '3.3.0' + pkg.version '3.3.0' + pkg.md5sum '7e6378aaa271587dd4109795c0a05769' + else + raise "rubygem-faraday-net_http version #{version} is not supported" + end instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/components/rubygem-faraday.rb b/configs/components/rubygem-faraday.rb index 829bf6b2e..5231945a7 100644 --- a/configs/components/rubygem-faraday.rb +++ b/configs/components/rubygem-faraday.rb @@ -1,6 +1,16 @@ component 'rubygem-faraday' do |pkg, settings, platform| - pkg.version '1.10.3' - pkg.md5sum 'c7b56130721c0b055c071bec593e2446' + version = settings[:rubygem_faraday_version] || '1.10.3' + + case version + when '1.10.3' + pkg.version '1.10.3' + pkg.md5sum 'c7b56130721c0b055c071bec593e2446' + when '2.12.0' + pkg.version '2.12.0' + pkg.md5sum 'c0248b00a32c46b64cd2a172c96409ec' + else + raise "rubygem-faraday version #{version} is not supported" + end instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/components/rubygem-puppet_forge.rb b/configs/components/rubygem-puppet_forge.rb index f8b62dafd..682d35c6e 100644 --- a/configs/components/rubygem-puppet_forge.rb +++ b/configs/components/rubygem-puppet_forge.rb @@ -1,6 +1,17 @@ component 'rubygem-puppet_forge' do |pkg, settings, platform| - pkg.version '3.2.0' - pkg.md5sum '501d5f9f742007504d0d60ce6cf0c27f' + version = settings[:rubygem_puppet_forge_version] || '3.2.0' + pkg.version version + + case version + when '3.2.0' + pkg.version '3.2.0' + pkg.md5sum '501d5f9f742007504d0d60ce6cf0c27f' + when '5.0.4' + pkg.version '5.0.4' + pkg.md5sum '04a2ca2f027ed41d9142ced587b71bd7' + else + raise "rubygem-puppet_forge version #{version} is not supported" + end instance_eval File.read('configs/components/_base-rubygem.rb') end diff --git a/configs/projects/_pdk-components.rb b/configs/projects/_pdk-components.rb index 6da890c0e..0e792fb92 100644 --- a/configs/projects/_pdk-components.rb +++ b/configs/projects/_pdk-components.rb @@ -60,6 +60,10 @@ proj.component 'rubygem-fast_gettext' proj.component 'rubygem-gettext-setup' proj.component 'rubygem-minitar' +proj.component 'rubygem-faraday' +proj.component 'rubygem-faraday-follow_redirects' +proj.component 'rubygem-semantic_puppet' +proj.component 'rubygem-faraday-net_http' # Bundler proj.component 'rubygem-bundler' @@ -99,5 +103,6 @@ proj.component 'rubygem-json_pure' proj.component 'rubygem-diff-lcs' proj.component 'rubygem-pathspec' +proj.component 'rubygem-puppet_forge' proj.component 'ansicon' if platform.is_windows? diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb index 4f3e8398e..975baf4be 100644 --- a/configs/projects/agent-runtime-main.rb +++ b/configs/projects/agent-runtime-main.rb @@ -14,7 +14,7 @@ proj.setting :augeas_version, '1.14.1' end - proj.setting :curl_version, '8.9.1' + proj.setting :curl_version, '8.10.1' ######## # Load shared agent settings diff --git a/configs/projects/client-tools-runtime-2023.8.x.rb b/configs/projects/client-tools-runtime-2023.8.x.rb new file mode 100644 index 000000000..84b31517f --- /dev/null +++ b/configs/projects/client-tools-runtime-2023.8.x.rb @@ -0,0 +1,6 @@ +project 'client-tools-runtime-2023.8.x' do |proj| + proj.setting(:openssl_version, '3.0') + + # Common settings + instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-client-tools-runtime.rb')) +end \ No newline at end of file diff --git a/configs/projects/pdk-runtime.rb b/configs/projects/pdk-runtime.rb index 37e5cc0a7..99a996c42 100644 --- a/configs/projects/pdk-runtime.rb +++ b/configs/projects/pdk-runtime.rb @@ -5,6 +5,9 @@ proj.setting(:rubygem_fast_gettext_version, '1.1.2') proj.setting(:rubygem_gettext_version, '3.2.2') proj.setting(:rubygem_gettext_setup_version, '0.34') + proj.setting(:rubygem_puppet_forge_version, '5.0.4') + proj.setting(:rubygem_faraday_version, '2.12.0') + proj.setting(:rubygem_faraday_net_http_version, '3.3.0') platform = proj.get_platform diff --git a/configs/projects/pe-bolt-server-runtime-2023.8.x.rb b/configs/projects/pe-bolt-server-runtime-2023.8.x.rb new file mode 100644 index 000000000..df183dcdf --- /dev/null +++ b/configs/projects/pe-bolt-server-runtime-2023.8.x.rb @@ -0,0 +1,28 @@ +project 'pe-bolt-server-runtime-2023.8.x' do |proj| + proj.setting(:pe_version, '2023.8') + proj.setting(:rubygem_puppet_version, '8.8.1') + # We build bolt server with the ruby installed in the puppet-agent dep. For ruby 2.7 we need to use a --no-document flag + # for gem installs instead of --no-ri --no-rdoc. This setting allows us to use this while we support both ruby 2.5 and 2.7 + # Once we are no longer using ruby 2.5 we can update. + proj.setting(:no_doc, true) + + proj.setting(:ruby_version, '3.2.5') + proj.setting(:openssl_version, '3.0') + + # We enable legacy algorithms for winrm transport. Currently the winrm transport + # does not work on FIPS, so in order to stay compliant we do not enable legacy algorithms + # on fips builds. + if proj.get_platform.name =~ /^redhatfips/ + proj.setting(:use_legacy_openssl_algos, false) + else + proj.setting(:use_legacy_openssl_algos, true) + end + + instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-pe-bolt-server_with_ruby.rb')) + # These are ruby 3/puppet 8 specific gems. Some of them are "default/standard" gems. There + # is a very annoying issue where default gems can be loaded by MRI but not jruby. + # We explicitly pacakge up some default gems where we have explicit dependencies for jruby + proj.component 'rubygem-prime' + proj.component 'rubygem-rexml' + proj.component 'rubygem-getoptlong' +end \ No newline at end of file diff --git a/configs/projects/pe-installer-runtime-2023.8.x.rb b/configs/projects/pe-installer-runtime-2023.8.x.rb new file mode 100644 index 000000000..f0d8930a2 --- /dev/null +++ b/configs/projects/pe-installer-runtime-2023.8.x.rb @@ -0,0 +1,13 @@ +project 'pe-installer-runtime-2023.8.x' do |proj| + proj.setting(:ruby_version, '3.2.5') + proj.setting(:openssl_version, '3.0') + # NLTM uses MD4 unconditionally in its protocol, so legacy algos must be + # enabled in OpenSSL >= 3.0 for Bolt's WinRM transport to work. + # We DO NOT WANT legacy algos enabled for the Puppet Agent runtime. + proj.setting(:use_legacy_openssl_algos, true) + + # rubygem-net-ssh included in shared-agent-components + proj.setting(:rubygem_net_ssh_version, '7.2.3') + proj.setting(:rubygem_puppet_version, '8.8.1') + instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-pe-installer-runtime.rb')) +end \ No newline at end of file diff --git a/resources/patches/curl/CVE-2024-8096.patch b/resources/patches/curl/CVE-2024-8096.patch new file mode 100644 index 000000000..005e2bfc1 --- /dev/null +++ b/resources/patches/curl/CVE-2024-8096.patch @@ -0,0 +1,189 @@ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 07dfaa437..db9221b96 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -526,6 +526,13 @@ CURLcode gtls_client_init(struct Curl_easy *data, + init_flags |= GNUTLS_NO_TICKETS; + #endif + ++#if defined(GNUTLS_NO_STATUS_REQUEST) ++ if(!config->verifystatus) ++ /* Disable the "status_request" TLS extension, enabled by default since ++ GnuTLS 3.8.0. */ ++ init_flags |= GNUTLS_NO_STATUS_REQUEST; ++#endif ++ + rc = gnutls_init(>ls->session, init_flags); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_init() failed: %d", rc); +@@ -919,104 +926,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + infof(data, " server certificate verification SKIPPED"); + + if(config->verifystatus) { +- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { +- gnutls_datum_t status_request; +- gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_datum_t status_request; ++ gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_ocsp_cert_status_t status; ++ gnutls_x509_crl_reason_t reason; + +- gnutls_ocsp_cert_status_t status; +- gnutls_x509_crl_reason_t reason; ++ rc = gnutls_ocsp_status_request_get(session, &status_request); + +- rc = gnutls_ocsp_status_request_get(session, &status_request); ++ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ failf(data, "No OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- infof(data, " server certificate status verification FAILED"); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { +- failf(data, "No OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ gnutls_ocsp_resp_init(&ocsp_resp); + +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- gnutls_ocsp_resp_init(&ocsp_resp); ++ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, ++ &status, NULL, NULL, NULL, &reason); + +- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ switch(status) { ++ case GNUTLS_OCSP_CERT_GOOD: ++ break; + +- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, +- &status, NULL, NULL, NULL, &reason); ++ case GNUTLS_OCSP_CERT_REVOKED: { ++ const char *crl_reason; + +- switch(status) { +- case GNUTLS_OCSP_CERT_GOOD: ++ switch(reason) { ++ default: ++ case GNUTLS_X509_CRLREASON_UNSPECIFIED: ++ crl_reason = "unspecified reason"; + break; + +- case GNUTLS_OCSP_CERT_REVOKED: { +- const char *crl_reason; +- +- switch(reason) { +- default: +- case GNUTLS_X509_CRLREASON_UNSPECIFIED: +- crl_reason = "unspecified reason"; +- break; +- +- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: +- crl_reason = "private key compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_CACOMPROMISE: +- crl_reason = "CA compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: +- crl_reason = "affiliation has changed"; +- break; ++ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: ++ crl_reason = "private key compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_SUPERSEDED: +- crl_reason = "certificate superseded"; +- break; ++ case GNUTLS_X509_CRLREASON_CACOMPROMISE: ++ crl_reason = "CA compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: +- crl_reason = "operation has ceased"; +- break; ++ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: ++ crl_reason = "affiliation has changed"; ++ break; + +- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: +- crl_reason = "certificate is on hold"; +- break; ++ case GNUTLS_X509_CRLREASON_SUPERSEDED: ++ crl_reason = "certificate superseded"; ++ break; + +- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: +- crl_reason = "will be removed from delta CRL"; +- break; ++ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: ++ crl_reason = "operation has ceased"; ++ break; + +- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: +- crl_reason = "privilege withdrawn"; +- break; ++ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: ++ crl_reason = "certificate is on hold"; ++ break; + +- case GNUTLS_X509_CRLREASON_AACOMPROMISE: +- crl_reason = "AA compromised"; +- break; +- } ++ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: ++ crl_reason = "will be removed from delta CRL"; ++ break; + +- failf(data, "Server certificate was revoked: %s", crl_reason); ++ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: ++ crl_reason = "privilege withdrawn"; + break; +- } + +- default: +- case GNUTLS_OCSP_CERT_UNKNOWN: +- failf(data, "Server certificate status is unknown"); ++ case GNUTLS_X509_CRLREASON_AACOMPROMISE: ++ crl_reason = "AA compromised"; + break; + } + +- gnutls_ocsp_resp_deinit(ocsp_resp); ++ failf(data, "Server certificate was revoked: %s", crl_reason); ++ break; ++ } ++ ++ default: ++ case GNUTLS_OCSP_CERT_UNKNOWN: ++ failf(data, "Server certificate status is unknown"); ++ break; ++ } + ++ gnutls_ocsp_resp_deinit(ocsp_resp); ++ if(status != GNUTLS_OCSP_CERT_GOOD) + return CURLE_SSL_INVALIDCERTSTATUS; +- } +- else +- infof(data, " server certificate status verification OK"); + } + else + infof(data, " server certificate status verification SKIPPED"); diff --git a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch index 7741d321b..1b9baf32c 100644 --- a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch +++ b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch @@ -80,7 +80,7 @@ index 5ba671ca1b..5b663d73fb 100644 + case obj + when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text + else -+ unless obj.class.name.start_with("RDoc::") ++ unless obj.class.name.start_with?("RDoc::") + raise TypeError, "not permitted class: #{obj.class.name}" + end + end