Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:
Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key). Added file format, with HTTP-like headers for metadata Files can be encrypted for multiple hosts (host keys) Name changed to cf-secret cf-secret is now merged and will be a part of the upcoming 3.16 release.
A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub. This issue is present in CFEngine Enterprise 3.7 versions, 3.10.0 through 3.10.6, as well as 3.12.0, 3.12.1, and 3.12.2. All customers have been notified prior to this announcement and had time to address the issue. Any community users who use CFEngine Enterprise Free 25 should upgrade immediately. Open source versions of CFEngine (CFEngine Community) are not affected, as they do not include the Mission Portal Web UI. The security of the CFEngine product and our users is something we take very seriously, and we will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). This issue has been registered as CVE-2019-19394 in the official public CVE registry. If you have any questions or concerns please contact CFEngine support if you have a support contract or email security@cfengine.com
Today we released 3.12.4-2. Shortly after releasing 3.12.4-1, we identified a permissions problem that prevents 3.12.4-1 from contributing data to a 3.15 hub setup for federated reporting; this release fixes that permission issue. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page. Additionally, please note, cf-remote can be used to install our released Enterprise or Community packages.
Announcing CF4! (or is it CF-FORTH?!) I imagine you didn’t expect such a big release so soon after our most recent release of 3.12.4 and 3.15.1 on March 26, but here it is: our alpha-release. Thus the reason for the .-4 in the version number. Of course choosing -4 has something to do with the fun of spelling FORTH without the ‘U’. Also, it’s nearly a palindrome and I imagine we’ll have a few alphas/betas before the final release is finished. (a good palindrome: a man a plan a canal panama)
We are today very excited to bring you new updates to CFEngine. This is a set of patch releases for the CFEngine 3.12 LTS and 3.15 LTS series. We usually release new patch releases every 6 months, but we want to bring new features and all improvements and bug fixes to our users as soon as possible. Hence these early releases. In CFEngine 3.15 LTS we introduced Federated Reporting, our single pane of glass reporting architecture. This is a great new feature that allows you to set up a dedicated Hub that collects all reporting data from your entire infrastructure to really provide a single pane of glass into all your operations. In this patch release, we have included several performance improvements and bug fixes. There are no new features or larger changes in these patch releases. We focus on stability, improving performance, fixing bugs and are actively listening to open source users and customers alike when planning what to fix. We hope you enjoy the faster release this time and benefit from some of the improvements we have made.
The ongoing COVID-19 pandemic brings challenging times for many countries, companies, families, and individuals. Therefore we wanted to make a brief statement about the state of our operations. The CFEngine team has offices in Norway and the USA, as well as remote workers in Italy and other European countries that are all currently experiencing various levels of lock-down. We made a decision last week that we would encourage all our employees to work from home and our offices are now temporarily closed. Our parent company, Northern.tech, has focused on autonomy and being a remote-friendly organization for a long time. This focus and experience, fortunately, makes the current situation easier to manage. We do not anticipate a large disruption in our operations due to this decision. You can read more about our view on remote work on our company website. We continue to develop our products, create new releases and support our customers as usual. New releases are imminent, and there is much to look forward to. If your operations are affected by the current situation, please let us know if there is anything we can assist you with during this time. Lastly, we will not participate in any physical meet-ups, we will not attend any conferences or host any training on-premises in the immediate future. Please reach out to us if you would like an online training, meeting or another contact point. We encourage everyone to listen to their government’s advice, take all needed precautions, and stay safe and healthy through this challenging time.
As we enter 2020 and reflect on the various contributions the project has received we want to take a moment to recognize one of the more prolific contributors as a CFEngine Champion.
It’s my honor to announce and welcome Dimitrios Apostolou as the latest CFEngine Champion. At the time of this writing, he is the fourth most prolific committer in cfengine/core with 1101 commits.
2584 Mikhail Gusarov 2045 Mark Burgess 1430 Sigurd Teigen 1101 Dimitrios Apostolou 825 Kristian Amlie Notably, as an employee of CFEngine AS and Northern.tech AS Dimitrios was responsible for introducing Protocol 2 (TLS), greatly improving the performance of cf-serverd, and refactoring the policy evaluation to improve the speed of iteration over large and complex lists and data structures. As a community member, Dimitrios worked in his spare time to open source cf-monitord bringing the ability to write custom measurement promises to the Community edition. Thank you, Jimis. You have significantly enhanced the CFEngine community through your individual efforts. Know someone that has significantly enhanced CFEngine through their contributions to the project itself or via their engagement with the community? Nominate them!
We recently released new builds for our Enterprise and Community packages. This release fixes an issue causing Enterprise Hub packages to fail upgrade in some cases. As part of this release, we also made changes to package names to ensure consistent naming that also includes the target platform in the filename.
As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page.
CFEngine 2 network communication is insecure by today’s standards.
CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA. Solution CFEngine 3 was intentionally designed so that you can install it side by side with 2, so you have time to migrate your policies from 2 to 3.
Today marks a new milestone for CFEngine, with the release of the new CFEngine 3.15.0 LTS. This is the newest Long Term Supported CFEngine series, introducing a lot of great stuff. The biggest new feature in CFEngine 3.15 is Federated Reporting, which we will cover later in this blog post, but there are many other new improvements as well. If you are interested to learn more, schedule training, or hear about pricing options, feel free to reach out to us! Last week, we launched the last release of the CFEngine 3.10 LTS series, and support for 3.10 is coming to an end at the end of this year. CFEngine 3.12 LTS is still under standard support for another 18 months, and CFEngine 3.15 will receive standard support for the next 3 years. This is all described in the CFEngine release schedule. We are always looking for new contributions to CFEngine! Are you unsure how to get started? Please check out our contributing guide in addition to the following suggestions.
