Issue #13643 has been updated by Matthaus Litteken. Status changed from Merged - Pending Release to Closed
Released in Puppet 2.7.14rc1 ---------------------------------------- Refactor #13643: The use of FileUtils.rm_rf should be made secure https://projects.puppetlabs.com/issues/13643#change-60749 Author: Kelsey Hightower Status: Closed Priority: Normal Assignee: Kelsey Hightower Category: security Target version: 2.7.14 Affected Puppet version: 2.7.12 Keywords: geordi cleanup Branch: https://github.com/puppetlabs/puppet/pull/629 All uses of the `FileUtils.rm_rf` method should be made secure by setting the `:secure` option to true. >From the online docs: <cite>This method causes local vulnerability if one of parent directories or removing directory tree are world writable (including /tmp, whose permission is 1777), and the current process has strong privilege such as Unix super user (root), and the system has symbolic link. For secure removing, read the documentation of remove_entry_secure carefully, and set :secure option to true. Default is :secure=>false. NOTE: This method calls remove_entry_secure if :secure option is set.</cite> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
