[bug-notifications] [puppet 0005090]: Upgrade Puppet to 2.7.22 due to security issues
Mantis Bug Tracker
noreply at opencsw.org
Fri Jul 12 02:18:45 CEST 2013
A NOTE has been added to this issue.
======================================================================
https://www.opencsw.org/mantis/view.php?id=5090
======================================================================
Reported By: wcooley
Assigned To: markp
======================================================================
Project: puppet
Issue ID: 5090
Category: upgrade
Reproducibility: N/A
Severity: major
Priority: normal
Status: closed
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2013-07-11 00:43 CEST
Last Modified: 2013-07-12 02:18 CEST
======================================================================
Summary: Upgrade Puppet to 2.7.22 due to security issues
Description:
Please upgrade Puppet to 2.7.22; dublin has only 2.7.14 and kiel has only
2.7.21.
Versions prior to 2.7.22 have the following vulnerability:
"Unauthenticated Remote Code Execution Vulnerability"
http://puppetlabs.com/security/cve/cve-2013-3567/
Prior to 2.7.21:
"Remote Code Execution Vulnerability"
http://puppetlabs.com/security/cve/cve-2013-1640/
"Unauthenticated Remote Code Execution Vulnerability"
http://puppetlabs.com/security/cve/cve-2013-1655/
Prior to 2.7.18:
"Arbitrary file read on the puppet master from authenticated clients"
http://docs.puppetlabs.com/puppet/2.7/reference/release_notes.html#security-fixes
There are several other security vulnerabilities covered in these releases,
but these seemed to be the most pressing.
======================================================================
----------------------------------------------------------------------
(0010491) maciej (developer) - 2013-07-12 02:18
https://www.opencsw.org/mantis/view.php?id=5090#c10491
----------------------------------------------------------------------
I think the problem the reporter was referring to, is the combination of
these two things:
1. curl -s http://www.opencsw.org/get-it/releases/ | grep -i production
<p>As of 2012, dublin is recommended for production systems.</p>
2. curl -s http://mirror.opencsw.org/opencsw/dublin/i386/5.10/catalog | awk
'$1 == "puppet" { print $4 }'
puppet-2.7.14,REV=2012.05.03-SunOS5.9-all-CSW.pkg.gz
More information about the bug-notifications
mailing list