Melissa Stone
2014-Jul-15 15:54 UTC
[Puppet Users] Announce: MCollective 2.5.3 [Security and Bug Fix Release]
MCollective 2.5.3 is a security and bug fix release in the MCollective 2.5 series. This release addresses CVE-2014-3251. ** CVE-2014-3251 ** The MCollective `aes_security` public key plugin does not correctly validate certs against the CA. By exploiting this vulnerability within a race/initialization window, an attacker with local access could initiate an unauthorized MCollective client connection with a server, and thus control the mcollective plugins running on that server. This vulnerability requires a collective be configured to use the aes_security plugin. Puppet Enterprise and open source MCollective are not configured to use the plugin and are not vulnerable by default. CVSSv2 Score: 3.4 Vector: AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C Affected software versions: MCollective (all, not configured by default) Puppet Enterprise (all, not configured by default) Fixed software versions: MCollective 2.5.3 Puppet Enterprise 3.3.0 For more information on this vulnerability, please visit https://puppetlabs.com/security/cve/cve-2014-3251 Please read through the Release Notes for the full list of changes: http://docs.puppetlabs.com/mcollective/releasenotes.html To report issues with the release, file a ticket in the "MCO" project on http://tickets.puppetlabs.com/ and set the "Affects version/s" field to "2.5.3" -- Melissa Stone Release Engineer, Puppet Labs *Join us at PuppetConf 2014 <http://www.puppetconf.com/>, September 20-24 in San Francisco* *Register by July 31st to take advantage of the Early Bird discount <https://puppetconf2014.eventbrite.com/?discount=EarlyBird> **—**save $249!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHEe_kq%2BnFRyA1dub1QCSdwRBZpwH_4Vg%3D9Bo7kMY1rv1Kr88A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.