Hiera 1.3.4 is a security fix release in the Hiera 1.3 series. This release addresses CVE-2014-3248. It has no other bug fixes or new features. All users of Hiera 1.3.3 and earlier are encouraged to update to 1.3.4.
** CVE-2014-3248 ** Arbitrary Code Execution with Required Social Engineering An attacker could convince an administrator to unknowingly create and execute malicious code on platforms with Ruby 1.9.1 and earlier. CVSSv2 Score: 5.9 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:U/RC:C Affected Hiera versions (ruby 1.9.1 and earlier platforms only): All Fixed Hiera versions: 1.3.4 See the Release Notes here: http://docs.puppetlabs.com/hiera/1/release_notes.html#hiera-134 To install Hiera, follow the installation guide: http://docs.puppetlabs.com/hiera/1/installing.html For more information on this vulnerability, please visit https://puppetlabs.com/security/cve/cve-2014-3248 To report issues with the release, file a ticket in the "HI" project on http://tickets.puppetlabs.com/ and set the "Affects version/s" field to "1.3.4" -- Moses Mendoza Puppet Labs Join us at PuppetConf 2014, September 20-24 in San Francisco Register by July 31st to take advantage of the Early Bird discount —save $249! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B421WZjNJScw-gMUMH-R4h2wRBJ6r%3DySpLMCHmrBi6RhJFGnA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
