Moses Mendoza
2012-Jul-11 01:21 UTC
[Puppet Users] Announce: Puppet 2.6.17 Available [ Security Release ]
Puppet 2.6.17 is a security release in the 2.6.x branch. The security changes in 2.6.17 address CVEs 2012-3864, 2012-3865 and 2012-3867. All users of Puppet 2.6.x are encouraged to upgrade when possible to Puppet 2.6.17. More information available at puppetlabs.com/security or visit puppetlabs.com/security/cve/cve-2012-3864 puppetlabs.com/security/cve/cve-2012-3865, and puppetlabs.com/security/cve/cve-2012-3867. Release notes: projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17 This release available for download at: puppetlabs.com/downloads/puppet/puppet-2.6.17.tar.gz RPM packages are available at yum.puppetlabs.com/el or /fedora Puppet is also available via Rubygems at rubygems.org See the Verifying Puppet Download section at: projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.17 projects.puppetlabs.com/projects/puppet # Summary # CVE-2012-3864 Arbitrary file read on the puppet master from authenticated clients (high) It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to. CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high) Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default. CVE-2012-3867 Insufficient input validation for agent hostnames (low) An attacker could trick the administrator into signing an attacker''s certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker''s certificate, the attacker can then man-in-the-middle the agent. 2.6.17 Changelog ============ 554eefc Reject directory traversal in store report processor 9607bd7 Use "inspect" when listing certificates 0144e68 Don''t allow the creation of SSL objects with invalid certnames dfedaa5 Validate CSR CN and provided certname before signing 8eb0cd8 Add specs for selector terminuses of file_{content,metadata} 828c16a Fix whitespace inside parentheses e7ef153 Always use the local file_bucket on master 29ae87d Fail more gracefully when finding module files if no file is specified c872619 Reject file requests containing .. c3c7462 Add Selector terminus for file_content/file_metadata -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at groups.google.com/group/puppet-users?hl=en.