Welcome to the first Puppet Dashboard maintenance release of the new year. This release includes a security update to address CVE-2012-0891, a XSS vulnerability discovered by David Dasz <[email protected]>. We have classified the risk from this exposure as moderate. All Puppet Dashboard users are encouraged to upgrade when possible.
Puppet Enterprise users should visit http://puppetlabs.com/security for links to hotfixes and/or patches for their release. For more information, please visit http://puppetlabs.com/security/cve/cve-2012-0891 It includes contributions from the following people: Bruno Leon, Daniel Pittman, Daniel Sauble, Pieter van de Bruggen This release is available for download at: http://downloads.puppetlabs.com/dashboard/ We have created Debian and RPM packages as well as a tarball. See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 1.2.5 http://projects.puppetlabs.com/projects/dashboard Documentation is available at: http://docs.puppetlabs.com/dashboard/index.html Puppet Dashboard 1.2.5 Release Notes === (#11365) Rigorously escape user inputs (CVE-2012-0891) This fix addresses a bug in Puppet Dashboard versions 1.0 – 1.2.4 that allows for Cross Site Scripting (XSS) attacks on certain input fields. This could potentially allow a malicious user to share Puppet Dashboard data with other websites, or manipulate fields in the Dashboard database. This commit sanitizes user inputs to avoid the aforementioned XSS attacks and also updates the jquery tokeninput library to resist XSS attacks. (#5879) Removes 'url' column from 'nodes' table The url column is no longer used by Dashboard, so this commit removes it. Puppet Dashboard 1.2.5 Changelog === Bruno Leon (1): b448067 Fix path to pid files Daniel Pittman (1): da28abf Added some documentation on writing plugins. Daniel Sauble (1): 89f6341 (#5879) Removes 'url' column from 'nodes' table Pieter van de Bruggen (1): (#11365) Rigorously escape user inputs (CVE-2012-0891) -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
