Matthaus Litteken
2012-Apr-11 01:08 UTC
Announce: Puppet 2.6.15 Available [security release]
Puppet 2.6.15 is a security release in the 2.6.x branch. The security changes in 2.6.15 address CVEs 2012-1906, 2012-1986, 2012-1987, and 2012-1988. All users of Puppet 2.6.x are encouraged to upgrade when possible to Puppet 2.6.15. More information available at: http://puppetlabs.com/security or visit http://puppetlabs.com/security/cve/cve-2012-1906, http://puppetlabs.com/security/cve/cve-2012-1986, http://puppetlabs.com/security/cve/cve-2012-1987, and http://puppetlabs.com/security/cve/cve-2012-1988 Detailed feature release notes are available: https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.15 This release is available for download at: http://puppetlabs.com/downloads/puppet/puppet-2.6.15.tar.gz RPM''s are available at http://yum.puppetlabs.com/el or /fedora Puppet is also available via Rubygems at http://rubygems.org See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.6.15 http://projects.puppetlabs.com/projects/puppet/ # Summary # CVE-2012-1906 (High) [#13260] - appdmg and pkgdmg providers write packages to insecure location If a remote source is given for a package, the package is downloaded to a predictable filename in /tmp. It is possible to create a symlink at this name and use it to clobber any file on the system, or by switching the symlink install arbitrary packages (and package installers can execute arbitrary code). CVE-2012-1986 (High) [#13511] - Filebucket arbitrary file read It is possible to construct a REST request to fetch a file from a filebucket that overrides the puppet master’s defined location for the files to be stored. If a user has access to construct directories and symlinks on the machine they can read any file that the user the puppet master is running as has access to. CVE-2012-1987 (Moderate) [#13552,#13553] - Filebucket denial of service By constructing a marshaled form of a Puppet::FileBucket::File object a user can cause it it to be written to any place on the disk of the puppet master. This could be used for a denial of service attach against the puppet master if an attacker fills a filesystem that can cause systems to stop working. In order to do this the attacker needs no access to the puppet master system, but does need access to agent SSL keys. Using the symlink attack described in Bug #13511 the puppet master can be caused to read from a stream (e.g. /dev/random) when either trying to save a file or read a file. Because of the way in which the puppet master deals with sending files on the filesystem to a remote system via a REST request the thread handling the request will block forever reading from that stream and continually consuming more memory. This can lead to the puppet master system running out of memory and cause a denial of service. CVE-2012-1988 (High) [#13518] - Filebucket arbitrary code execution This requires access to the cert on the agent and an unprivileged account on the master. By creating a path on the master in a world-writable location that matches a command string, one can then make a file bucket request to execute that command. 2.6.15 Changelog ============ * f7829ec Stub mktmpdir and remove_entry_secure in os x package providers * 7ac1ec8 (#13260) Spec test to verify that mktmpdir is used * 0180200 Refactor pkgdmg specs * c51447d (#13260) Use mktmpdir when downloading packages * 568ded5 Fix for bucket_path security vulnerability * 6bef2e6 Removed text/marshal support -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.