[bug-notifications] [puppet 0005090]: Upgrade Puppet to 2.7.22 due to security issues

Mantis Bug Tracker noreply at opencsw.org
Fri Jul 12 02:18:45 CEST 2013


A NOTE has been added to this issue. 
====================================================================== 
https://www.opencsw.org/mantis/view.php?id=5090 
====================================================================== 
Reported By:                wcooley
Assigned To:                markp
====================================================================== 
Project:                    puppet
Issue ID:                   5090
Category:                   upgrade
Reproducibility:            N/A
Severity:                   major
Priority:                   normal
Status:                     closed
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2013-07-11 00:43 CEST
Last Modified:              2013-07-12 02:18 CEST
====================================================================== 
Summary:                    Upgrade Puppet to 2.7.22 due to security issues
Description: 
Please upgrade Puppet to 2.7.22; dublin has only 2.7.14 and kiel has only
2.7.21.

Versions prior to 2.7.22 have the following vulnerability:
"Unauthenticated Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-3567/

Prior to 2.7.21:
"Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-1640/

"Unauthenticated Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-1655/

Prior to 2.7.18:
"Arbitrary file read on the puppet master from authenticated clients"
 
http://docs.puppetlabs.com/puppet/2.7/reference/release_notes.html#security-fixes

There are several other security vulnerabilities covered in these releases,
but these seemed to be the most pressing.
====================================================================== 

---------------------------------------------------------------------- 
 (0010491) maciej (developer) - 2013-07-12 02:18
 https://www.opencsw.org/mantis/view.php?id=5090#c10491 
---------------------------------------------------------------------- 
I think the problem the reporter was referring to, is the combination of
these two things:

1. curl -s http://www.opencsw.org/get-it/releases/ | grep -i production
<p>As of 2012, dublin is recommended for production systems.</p>

2. curl -s http://mirror.opencsw.org/opencsw/dublin/i386/5.10/catalog | awk
'$1 == "puppet" { print $4 }'
puppet-2.7.14,REV=2012.05.03-SunOS5.9-all-CSW.pkg.gz



More information about the bug-notifications mailing list