Release 0.25.4

Fix for puppetlabs#3088 (catching Exception also traps SystemExit)

Changing rescues from the default to Exception (to catch errors that don't
descend from StandardError) had the unintended consequence of catching (and
suppressing) SystemExit.

This patch restores the behavior of by reraising the exception.

Of the other exceptions that fall through the same crack (NoMemoryError,
SignalException, LoadError, Interrupt, NotImplementedError, and ScriptError)
this patch also reraises NoMemoryError, SignalException, and Interrupt in the
same way and leaves the rest captured.

Minimal fix for puppetlabs#3001 (failing to fetch metadata on danglin…

…g symlink)

FileTest.exists? returns false if the target of a symlink is missing; in such
cases we still want to continue if the resource is a symlink, as we may be
managing a dangling symlink.  Continuing in such case either gives the desired
behavior or a more specific/informative error message.

Revert "Fix puppetlabs#2845 Cron entries using "special" parameter lo…

…se their title when changed"

This reverts commit c99f394.

The fix broke cron jobs in 0.25.3 and was reverted for the 0.25.4 release.

Reversion of pipe IO patch for testing on puppetlabs#3025

Fix for temporary file security whole

We create temporary files in /tmp/ with predictable names.  These
could be used by an attacker to DoS a box by setting a symlink to
some other file (say, /etc/shadow) and waiting for us to overwrite
it.

The minimalistic solution employed by this patch is to wrap all such
file writing with a paranoid wrapper that:

1) Check to see if the target exists
2) Issues a warning if it was a symlink
3) Deletes it
4) Waits (0.1 seconds if it was a file, 5 seconds if it was a symlink)
5) Opens the file with EXCL, which will fail if the file has come back.

If this succeeds (as it normally will) it has exactly the same semantics
as the original code (a must, as we are right at a release boundary).
However, under no circumstances will it follow a preexisting symlink (the
operating system guarantees this with EXCL) so the danger of an exploit
has been converted into the possibility of a failure, with an appropriate
warning.

Fixed typo in util.rb

ReFix 2675 ending slash in directory should get stripped off

There was an intermittent bug in Puppet::Parser::Resource::Reference,
during initialization, and object could sometimes have its title set
before its type is set. This prevented the title from going through
type-specific canonicalization.

Signed-off-by: Jesse Wolfe <jes5199@gmail.com>

Updated CHANGELOG for 0.25.2rc2