[Bug 978708] Re: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989
This bug was fixed in the package puppet - 2.7.11-1ubuntu2 --- puppet (2.7.11-1ubuntu2) precise; urgency=low * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in appdmg and pkgdmg providers (LP: #978708) - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch - CVE-2012-1906 * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch - CVE-2012-1986 * SECURITY UPDATE: Denial of service via Filebucket text/marshall support - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch - CVE-2012-1987 * SECURITY UPDATE: Arbitrary code execution via Filebucket requests - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch - CVE-2012-1988 * SECURITY UPDATE: Arbritrary file writes via predictable telnet output log filename - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch - CVE-2012-1989 * debian/patches/puppet-12844: Re-fetch the patch from upstream since some missing pieces cause 'rake spec' to abort immediately -- Tyler HicksWed, 11 Apr 2012 03:55:10 -0500 ** Changed in: puppet (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/978708 Title: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978708] Re: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989
ACK on the debdiff, uploaded to Precise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/978708 Title: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978708] Re: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989
The diff between the output of 'cd /usr/share/puppet-testsuite && rake spec unit' ran under puppet-2.7.11-1ubuntu1 and puppet-2.7.11-1ubuntu2 (which is simply the debdiff attached above applied). Note that there are many false positives from failed Windows tests. I'm not sure why these tests are being ran, but it looks like Puppet.features.microsoft_windows is not testing out to be false. ** Patch added: "puppet-2.7.11-1ubuntu2_rake-spec-unit.diff" https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+attachment/3045160/+files/puppet-2.7.11-1ubuntu2_rake-spec-unit.diff ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/978708 Title: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs