A NOTE has been added to this issue. ====================================================================== https://www.opencsw.org/mantis/view.php?id=5090 ====================================================================== Reported By: wcooley Assigned To: markp ====================================================================== Project: puppet Issue ID: 5090 Category: upgrade Reproducibility: N/A Severity: major Priority: normal Status: closed Resolution: fixed Fixed in Version: ====================================================================== Date Submitted: 2013-07-11 00:43 CEST Last Modified: 2013-07-12 02:18 CEST ====================================================================== Summary: Upgrade Puppet to 2.7.22 due to security issues Description: Please upgrade Puppet to 2.7.22; dublin has only 2.7.14 and kiel has only 2.7.21.
Versions prior to 2.7.22 have the following vulnerability: "Unauthenticated Remote Code Execution Vulnerability" http://puppetlabs.com/security/cve/cve-2013-3567/ Prior to 2.7.21: "Remote Code Execution Vulnerability" http://puppetlabs.com/security/cve/cve-2013-1640/ "Unauthenticated Remote Code Execution Vulnerability" http://puppetlabs.com/security/cve/cve-2013-1655/ Prior to 2.7.18: "Arbitrary file read on the puppet master from authenticated clients" http://docs.puppetlabs.com/puppet/2.7/reference/release_notes.html#security-fixes There are several other security vulnerabilities covered in these releases, but these seemed to be the most pressing. ====================================================================== ---------------------------------------------------------------------- (0010491) maciej (developer) - 2013-07-12 02:18 https://www.opencsw.org/mantis/view.php?id=5090#c10491 ---------------------------------------------------------------------- I think the problem the reporter was referring to, is the combination of these two things: 1. curl -s http://www.opencsw.org/get-it/releases/ | grep -i production <p>As of 2012, dublin is recommended for production systems.</p> 2. curl -s http://mirror.opencsw.org/opencsw/dublin/i386/5.10/catalog | awk '$1 == "puppet" { print $4 }' puppet-2.7.14,REV=2012.05.03-SunOS5.9-all-CSW.pkg.gz _______________________________________________ bug-notifications mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/bug-notifications
