'pe-bundler' missing in Puppet Enterprise 2016.4.6??

asked 2017-08-08 02:18:01 -0600

Paul Tung
3 ●1 ●1 ●4

Hi there,

The 'pe-bundler' was existed in previous version 2016.4.5 but missing in 2016.4.6, is that normal?

And where the reason I could find?

answered 2017-08-08 18:26:57 -0600

csharpsteen
616 ●5 ●14

The pe-bundler package was historically included in order to support the web-based installer which was launched via bundle exec. Recently, this installer component was re-built to remove the bundler dependency which also led to the pe-bundler package being removed as well. One additional factor that led to this remove was an unresolved security vulnerability in Bundler:

http://collectiveidea.com/blog/archiv...

PE never used Bundler in a way that exposed this vulnerability, but the presence of the package was tripping vulnerability scans conducted as part of security audits in some environments.

edit flag offensive delete link

Comments

Thanks a lot for your answer, I got it! But I am curious did Puppetlabs has any official announcement for this?

Paul Tung ( 2017-08-09 06:02:01 -0600 )edit

My guess would be that there wasn't an entry in the release notes as the pe-bundler package was considered an implementation detail of the web-based installer and there was no net change in the behavior of the installer.

csharpsteen ( 2017-08-09 14:54:52 -0600 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

'pe-bundler' missing in Puppet Enterprise 2016.4.6??

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

'pe-bundler' missing in Puppet Enterprise 2016.4.6?? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

'pe-bundler' missing in Puppet Enterprise 2016.4.6??