Michael Stahnke
2012-Jan-26 23:42 UTC
Puppet Dashboard 1.2.5 Available [security update - moderate]
Welcome to the first Puppet Dashboard maintenance release of the new year.
This release includes a security update to address CVE-2012-0891, a
XSS vulnerability discovered by David Dasz <david@dasz.at>. We have
classified the risk from this exposure as moderate. All Puppet Dashboard
users are encouraged to upgrade when possible.
Puppet Enterprise users
should visit http://puppetlabs.com/security for links to hotfixes
and/or patches for their release. For more information, please visit
http://puppetlabs.com/security/cve/cve-2012-0891
It includes contributions from the following people: Bruno Leon,
Daniel Pittman, Daniel Sauble, Pieter van de Bruggen
This release is available for download at:
http://downloads.puppetlabs.com/dashboard/
We have created Debian and RPM packages as well as a tarball.
See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected version of 1.2.5
http://projects.puppetlabs.com/projects/dashboard
Documentation is available at:
http://docs.puppetlabs.com/dashboard/index.html
Puppet Dashboard 1.2.5 Release Notes
==
(#11365) Rigorously escape user inputs (CVE-2012-0891)
This fix addresses a bug in Puppet Dashboard versions 1.0 – 1.2.4
that allows
for Cross Site Scripting (XSS) attacks on certain input fields. This could
potentially allow a malicious user to share Puppet Dashboard data with other
websites, or manipulate fields in the Dashboard database. This commit
sanitizes user inputs to avoid the aforementioned XSS attacks and also
updates the jquery tokeninput library to resist XSS attacks.
(#5879) Removes ''url'' column from ''nodes''
table
The url column is no longer used by Dashboard, so this
commit removes it.
Puppet Dashboard 1.2.5 Changelog
==
Bruno Leon (1):
b448067 Fix path to pid files
Daniel Pittman (1):
da28abf Added some documentation on writing plugins.
Daniel Sauble (1):
89f6341 (#5879) Removes ''url'' column from
''nodes'' table
Pieter van de Bruggen (1):
(#11365) Rigorously escape user inputs (CVE-2012-0891)
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
John Morrissey
2012-Feb-13 15:06 UTC
[Puppet Users] Re: Puppet Dashboard 1.2.5 Available [security update - moderate]
On Thu, Jan 26, 2012 at 03:42:12PM -0800, Michael Stahnke wrote:> Welcome to the first Puppet Dashboard maintenance release of the new year.[snip]> This release is available for download at: > http://downloads.puppetlabs.com/dashboard/ > > We have created Debian and RPM packages as well as a tarball.Looks like there are only Debian packages for 1.2.5rc1, not 1.2.5 itself. Maybe the Debian packages were accidentally overlooked? john -- John Morrissey _o /\ ---- __o jwm@horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Michael Stahnke
2012-Feb-13 19:16 UTC
Re: [Puppet Users] Re: Puppet Dashboard 1.2.5 Available [security update - moderate]
On Mon, Feb 13, 2012 at 7:06 AM, John Morrissey <jwm@horde.net> wrote:> On Thu, Jan 26, 2012 at 03:42:12PM -0800, Michael Stahnke wrote: >> Welcome to the first Puppet Dashboard maintenance release of the new year. > [snip] >> This release is available for download at: >> http://downloads.puppetlabs.com/dashboard/ >> >> We have created Debian and RPM packages as well as a tarball. > > Looks like there are only Debian packages for 1.2.5rc1, not 1.2.5 itself. > Maybe the Debian packages were accidentally overlooked?The final packages end up on apt.puppetlabs.com and don''t get put in /downloads. I realize this is slightly confusing.> > john > -- > John Morrissey _o /\ ---- __o > jwm@horde.net _-< \_ / \ ---- < \, > www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__ > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Morrissey
2012-Feb-13 19:57 UTC
[Puppet Users] Re: Re: Puppet Dashboard 1.2.5 Available [security update - moderate]
On Mon, Feb 13, 2012 at 11:16:35AM -0800, Michael Stahnke wrote:> On Mon, Feb 13, 2012 at 7:06 AM, John Morrissey <jwm@horde.net> wrote: > > On Thu, Jan 26, 2012 at 03:42:12PM -0800, Michael Stahnke wrote: > >> Welcome to the first Puppet Dashboard maintenance release of the new year. > > [snip] > >> This release is available for download at: > >> http://downloads.puppetlabs.com/dashboard/ > >> > >> We have created Debian and RPM packages as well as a tarball. > > > > Looks like there are only Debian packages for 1.2.5rc1, not 1.2.5 > > itself. Maybe the Debian packages were accidentally overlooked? > > The final packages end up on apt.puppetlabs.com and don''t get put in > /downloads. I realize this is slightly confusing.Gotcha, thanks. john -- John Morrissey _o /\ ---- __o jwm@horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.