Yesterday, packages for CFEngine 3.12.5 and 3.15.2 were made available. This release announcement was delayed in support of Blackout Tuesday in the United States of America. We are pleased to announce two new patch releases for CFEngine, version 3.12.5 and 3.15.2! These patch releases don’t contain major changes or new features, but rather fix important bugs reported by our community of users and customers. Some users reported issues with federated reporting, specifically related to non-reporting hosts. These issues are fixed in policy in the newest releases, upgrading to the latest version of Masterfiles Policy Framework (MPF) resolves them. A race condition during report collection was mitigated. This could in some cases cause a failed report collection, scheduling a retry (rebase), and emitting errors in syslog. The race condition only happened with long running agents, or agents running at the same time as report collection. It only caused errors in some very specific situations, so this was not caught by our tests, and most users did not experience the issue. Also, in relation to reporting, the hub can now query itself over the IPv6 loopback address, ::1, similar to 127.0.0.1.
Today we released 3.12.4-2. Shortly after releasing 3.12.4-1, we identified a permissions problem that prevents 3.12.4-1 from contributing data to a 3.15 hub setup for federated reporting; this release fixes that permission issue. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page. Additionally, please note, cf-remote can be used to install our released Enterprise or Community packages.
We are today very excited to bring you new updates to CFEngine. This is a set of patch releases for the CFEngine 3.12 LTS and 3.15 LTS series. We usually release new patch releases every 6 months, but we want to bring new features and all improvements and bug fixes to our users as soon as possible. Hence these early releases. In CFEngine 3.15 LTS we introduced Federated Reporting, our single pane of glass reporting architecture. This is a great new feature that allows you to set up a dedicated Hub that collects all reporting data from your entire infrastructure to really provide a single pane of glass into all your operations. In this patch release, we have included several performance improvements and bug fixes. There are no new features or larger changes in these patch releases. We focus on stability, improving performance, fixing bugs and are actively listening to open source users and customers alike when planning what to fix. We hope you enjoy the faster release this time and benefit from some of the improvements we have made.
We recently released new builds for our Enterprise and Community packages. This release fixes an issue causing Enterprise Hub packages to fail upgrade in some cases. As part of this release, we also made changes to package names to ensure consistent naming that also includes the target platform in the filename.
As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page.
CFEngine 2 network communication is insecure by today’s standards.
CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA. Solution CFEngine 3 was intentionally designed so that you can install it side by side with 2, so you have time to migrate your policies from 2 to 3.
Today marks a new milestone for CFEngine, with the release of the new CFEngine 3.15.0 LTS. This is the newest Long Term Supported CFEngine series, introducing a lot of great stuff. The biggest new feature in CFEngine 3.15 is Federated Reporting, which we will cover later in this blog post, but there are many other new improvements as well. If you are interested to learn more, schedule training, or hear about pricing options, feel free to reach out to us! Last week, we launched the last release of the CFEngine 3.10 LTS series, and support for 3.10 is coming to an end at the end of this year. CFEngine 3.12 LTS is still under standard support for another 18 months, and CFEngine 3.15 will receive standard support for the next 3 years. This is all described in the CFEngine release schedule. We are always looking for new contributions to CFEngine! Are you unsure how to get started? Please check out our contributing guide in addition to the following suggestions.
We are now happy to release two new LTS versions of CFEngine, 3.10.7 LTS, and 3.12.3 LTS.
CFEngine 3.10.7 - end of life This will be the last release of the CFEngine 3.10 LTS series. Standard Support of CFEngine 3.10 LTS ends end of this year. If you would like extended support, please contact us. From the CFEngine release schedule, we see that CFEngine 3.10 LTS is maintained and supported until December 28th, 2019. That is the end of this year, so you should start planning on upgrading to CFEngine 3.12 LTS, or the soon to be released CFEngine 3.15.0 LTS that is scheduled to be released in the next few weeks. 3.10.7 LTS is the last maintenance release (patch release) of the CFEngine 3.10 LTS series. The goal of this release is to make sure that the stability and reliability for CFEngine users that cannot immediately upgrade to 3.12, and enable a safe upgrade path. As such, this release includes bug fixes and low-risk changes that do not impact the compatibility between previous patch releases.
Due to a number of vulnerabilities found in the version of Apache we bundle with CFEngine hub, we have upgraded the CFEngine hub packages to use an updated version of Apache. We upgrade from Apache 2.4.39 to Apache 2.4.41. We are now releasing a new version, CFEngine Hub 3.12.2-5. Only new Hub packages are being released, as no other packages are affected by these vulnerabilities.
The issues fixed There are several issues that have been fixed with this new version of Apache. Out of these, only CVE-2019-10098 should affect CFEngine and is the one we were most concerned with. low: mod_rewrite potential open redirect (CVE-2019-10098) Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. You can see the full list of issues fixed in Apache 2.4.41 here: https://httpd.apache.org/security/vulnerabilities_24.html This dependency upgrade is the only change we have made. So please upgrade your CFEngine hub today.
Today we are happy to announce the general availability of CFEngine 3.15.0 beta. CFEngine 3.15 is our upcoming LTS (Long Term Support) release. The main focus of this release has been the new Federated Reporting feature. It also contains a lot of performance work and stability improvements. You can download CFEngine 3.15 LTS beta here.
Beta program CFEngine 3.15 is a beta release that is not generally supported, however, the quality is good and interesting new features are available. So, in order for all the new features to be of the best quality, we make it available to you to test already now. We appreciate all the feedback we can get on this beta release. If you test it, you can provide any and all feedback through a quick survey here. We are eagerly awaiting your feedback. You can also email us, or contact us through our webpage.
On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164.
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
CFEngine Enterprise LTS versions 3.12.0, 3.12.1, 3.12.2-1, 3.12.2-2, and non-LTS version 3.14.0 vendor PostgreSQL versions affected by this vulnerability. In the default configuration as access to root or cfpostgres local users must be achieved first.
