Open akondasif opened 6 years ago
I am not maintaining this package anymore. If you want to submit a PR, and if someone who is using this package wants to take a look at the PR, then I am fine with that, but otherwise I will not be doing anything with this.
Acknowledged. Thanks for the reply. I created the issue to get feedback on my finding.
I also noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).
I suggest to use a dedicated IP address other than 0.0.0.0.
I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).
I suggest that to follow the strong password guidelines, and manage passwords with hiera.
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of SHA1 usages in one of the Puppet scripts. SHA1 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as SHA1. Reff: https://cwe.mitre.org/data/definitions/327.html.
I suggest the use of SHA512 , which is more secure.
Any feedback is appreciated.
Source: https://github.com/wesleytodd/YeoPress/blob/master/app/templates/puppet/modules/apt/manifests/key.pp