Operations | Monitoring | ITSM | DevOps | Cloud

CFEngine

CFEngine 3.12.2-3, 3.14.0-2 released (mitigating CVE-2019-10164)

On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164. PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

Writing custom service_methods

CFEngine provides the services promise type to manage the state of a given service. services type promises are an abstraction of agent bundles, they can be used to declare the desired state for a collection of things identified by a name. Most commonly services type promises are used to manage standard operating system services though they can be used for abstracting other logical states.

CVE-2019-9929 - internal authentication secrets leaked in logs

The CFEngine engineering team has recently discovered a severe security issue in the CFEngine Enterprise product. CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks. These internal secrets are randomly generated during the installation process and stored in files which only the root user has access to.

CFEngine 3.12.2 LTS Released

We are happy to release the 2nd update to the CFEngine 3.12 LTS series. This update comes with many important stability and performance improvements and is thus well worth the upgrade from an older version of 3.12 LTS. CFEngine 3.12 LTS brings a lot of innovation, new features and improved performance to CFEngine, and allows you to make the most efficient use of your time. We are looking forward to your feedback on this release.

Introducing cf-remote: Tooling to deploy CFEngine

About a year ago, I wrote a small python script to automate installing and bootstrapping CFEngine on virtual machines in AWS. It had some hard coded IP addresses that I needed to update when I spawned new hosts, but other than that, it worked well. During manual testing, it saved me a lot of time instead of having to do things manually.