[CentOS] puppet, repos, security
Hello list, I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar 2013. EPEL has an even older version. Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that was posted on the month of July 2013. Do I understand correctly, that my puppet-master is vulnerable to remote code execution by every node that has access to master's port tcp/8140? If so, then the only option to use puppet while being safe is to use puppetlabs repo, or build puppet myself? Thank you Ignas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] puppet, repos, security
On 31 October 2013 07:30, ign...@vault13.lt ign...@vault13.lt wrote: I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar 2013. EPEL has an even older version. A very old and occasionally suspect repo (rpmforge) in terms of lack of updates (see the clamav issues a little while back). EPEL is better but stays a lot older. Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that was posted on the month of July 2013. Do I understand correctly, that my puppet-master is vulnerable to remote code execution by every node that has access to master's port tcp/8140? Yes that is almost certainly the case - best to check the --changelog of the RPM you are using though. If so, then the only option to use puppet while being safe is to use puppetlabs repo, or build puppet myself? Using the official puppetlabs repo is the best/right answer and will allow you to be on the most recent puppet version - there are significant reasons why this is desirable. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
