Michael Stahnke
2011-Sep-30 22:49 UTC
[Puppet Users] Announce: Puppet 2.6.11 Available [security updates]
Puppet 2.6.11 is a security update release in the 2.6.x branch. The only changes since 2.6.10 are security fixes for the following vulnerabilities: * CVE-2011-3870, a symlink attack via a user''s SSH authorized_keys file * CVE-2011-3869, a symlink attack via a user''s .k5login file * CVE-2011-3871, a privilege escalation attack via the temp file used by puppet resource * A low-risk file indirector injection attack WE RECOMMEND UPDATING TO THIS VERSION IMMEDIATELY, as a misconfiguration of our infrastructure resulted in information about these issues leaking to a public list prior to their official disclosure. For more details on these vulnerabilities, follow the links on our security updates page at: http://puppetlabs.com/security Features/fixes that were previously targeted at 2.6.11 have been moved to 2.6.12. Puppet 2.6.11 is available as of now. Changelog entries are available below. More detailed information is available on our Release Notes page. Release Notes have been updated:https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.11 This release is available for download at:http://puppetlabs.com/downloads/puppet/puppet-2.6.11.tar.gz RPM''s are available at http://yum.puppetlabs.com/el Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at:http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.11:http://projects.puppetlabs.com/projects/puppet/ Commits: e158b26 (#9793) "secure" indirector file backed terminus base class. 343c7bd (#9792) Predictable temporary filename in ralsh. 88512e8 Drop privileges before creating and chmodding SSH keys. 2775c21 (#9794) k5login can overwrite arbitrary files as root -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.