Hello list, I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar 2013. EPEL has an even older version. Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that was posted on the month of July 2013. Do I understand correctly, that my puppet-master is vulnerable to remote code execution by every node that has access to master's port tcp/8140? If so, then the only option to use puppet while being safe is to use puppetlabs repo, or build puppet myself? Thank you Ignas
On 31 October 2013 07:30, ignasr at vault13.lt <ignasr at vault13.lt> wrote:> I am using puppet 2.7.20 from rpmforge, with a build date of Wed 20 Mar > 2013. EPEL has an even older version. >A very old and occasionally suspect repo (rpmforge) in terms of lack of updates (see the clamav issues a little while back). EPEL is better but stays a lot older.> Then I see this: http://puppetlabs.com/security/cve/cve-2013-3567 that > was posted on the month of July 2013. > > Do I understand correctly, that my puppet-master is vulnerable to remote > code execution by every node that has access to master's port tcp/8140? > >Yes that is almost certainly the case - best to check the --changelog of the RPM you are using though.> If so, then the only option to use puppet while being safe is to use > puppetlabs repo, or build puppet myself? > >Using the official puppetlabs repo is the best/right answer and will allow you to be on the most recent puppet version - there are significant reasons why this is desirable.