Michael Stahnke
2011-Sep-30 22:51 UTC
[Puppet Users] Announce: Puppet 2.7.5 available [security updates]
Puppet 2.7.5 is a security update release in the 2.7.x branch. The only changes since 2.7.4 are security fixes for the following vulnerabilities: * CVE-2011-3870, a symlink attack via a user''s SSH authorized_keys file * CVE-2011-3869, a symlink attack via a user''s .k5login file * CVE-2011-3871, a privilege escalation attack via the temp file used by puppet resource * A low-risk file indirector injection attack WE RECOMMEND UPDATING TO THIS VERSION IMMEDIATELY, as an issue with our ticketing system resulted in information about these issues leaking to a public list prior to their official disclosure. For more details on these vulnerabilities, follow the links on our security updates page at: http://puppetlabs.com/security Puppet 2.7.5 is available as of now. Changelog entries are available below. More detailed information is available on our Release Notes page. Release Notes have been updated:https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.5 This release is available for download at:http://puppetlabs.com/downloads/puppet/puppet-2.7.5.tar.gz RPM''s are available at http://yum.puppetlabs.com/el Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at:http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.7.5:http://projects.puppetlabs.com/projects/puppet/ Commits: 4079ab2 Updating version numbers for 2.7.5 de51f3d (#9832) 2.7.4 StoreConfigs regression with PostgreSQL. 1aa9be5 (#9793) "secure" indirector file backed terminus base class. d76c309 (#9792) Predictable temporary filename in ralsh. b29b178 Drop privileges before creating and chmodding SSH keys. 7d4c169 (#9794) k5login can overwrite arbitrary files as root -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.