Author: anarcat
Date: 2017-10-30 18:46:07 +0000 (Mon, 30 Oct 2017)
New Revision: 57136
Modified:
data/CVE/list
data/dla-needed.txt
Log:
no version of puppet in debian is affected by CVE-2016-5714
agent 1.3.6 is puppet 4.3.2 and 1.7.1 is 4.7.0, so no version is vulnerable
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-10-30 14:06:32 UTC (rev 57135)
+++ data/CVE/list 2017-10-30 18:46:07 UTC (rev 57136)
@@ -59048,8 +59048,13 @@
CVE-2016-5715 (Open redirect vulnerability in the Console in Puppet Enterprise
2015.x ...)
- puppet <not-affected> (Limited to Puppet Enterprise)
CVE-2016-5714 (Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and
Puppet ...)
- - puppet <unfixed>
- TODO: check
+ - puppet 4.8.0-1
+ [wheezy] - puppet <not-affected> (Vulnerable code introduced later)
+ [jessie] - puppet <not-affected> (Vulnerable code introduced later)
+ NOTE: https://puppet.com/security/cve/pxp-agent-oct-2016
+ NOTE: triaged away in Ubuntu: "Default configurations of FOSS Puppet
Agent are not vulnerable."
+ NOTE: gentoo released a fix: https://security.gentoo.org/glsa/201710-12
+ NOTE: rosetta stone for puppet version numbers:
https://puppet.com/docs/puppet/4.10/about_agent.html
CVE-2016-5713
RESERVED
CVE-2016-5712
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-10-30 14:06:32 UTC (rev 57135)
+++ data/dla-needed.txt 2017-10-30 18:46:07 UTC (rev 57136)
@@ -93,8 +93,6 @@
NOTE: drawForm is doForm1 in wheezy
NOTE: exploit does not loop but code looks affected
--
-puppet
---
python-werkzeug (Thorsten Alteholz)
--
quagga (Hugo Lefeuvre)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
