Issue #9790 has been updated by Michael Stahnke.
Patches applied cleanly across 0.25.x, 2.6rc and 2.7rc. These have been pushed to private repo puppet-cve-test on github. ---------------------------------------- Bug #9790: TOCTOU vulnerability in ssh_authorized_keys. https://projects.puppetlabs.com/issues/9790 Author: Daniel Pittman Status: Accepted Priority: Normal Assignee: Daniel Pittman Category: security Target version: Affected Puppet version: Keywords: Branch: There was a TOCTOU vulnerability in ssh_authorized_keys, and theoretically in the Solaris and AIX providers, where file ownership was given away before it was written. This was bad, because it allowed a user to overwrite arbitrary files as root, if their authorized_keys file was managed. Credit to Ricky Zhou <[email protected]> for the discovery and fix. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
