Posted August 31, 2015
Assessed Risk Level: Medium
Previous versions of the README for the puppetlabs-firewall module contained examples of configurations using the `port` parameter instead of referencing `dport` and `sport`. Following these examples explicitly could result in firewall rules that are unintentionally permissive. It is recommended to always use the specific `dport` and `sport` parameters.
With the puppetlabs-firewall 1.7.1 release, the port
parameter is now deprecated and will be removed in the next major release.
If any manifests using puppetlabs-firewall's firewall
resource are configured to use the port
parameter, users should update those manifests to use the specific dport
or sport
parameters instead.
Thanks to Narayan Newton of Tag1 Consulting for responsibly disclosing this issue to us.
Status:
Affected Software Versions:
- puppetlabs-firewall 1.7.0 and earlier
Resolved in:
- puppetlabs-firewall 1.7.1