Puppet users - Jul 2012 - Announce: Puppet 2.6.17 Available [ Security Release ]

Puppet 2.6.17 is a security release in the 2.6.x branch.

The security changes in 2.6.17 address CVEs 2012-3864, 2012-3865 and
2012-3867.

All users of Puppet 2.6.x are encouraged to upgrade when possible to Puppet
2.6.17.

More information available at http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-3864
http://puppetlabs.com/security/cve/cve-2012-3865, and
http://puppetlabs.com/security/cve/cve-2012-3867.

Release notes:
https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17

This release available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.6.17.tar.gz

RPM packages are available at https://yum.puppetlabs.com/el or /fedora

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.6.17
https://projects.puppetlabs.com/projects/puppet/


# Summary #

 CVE-2012-3864 Arbitrary file read on the puppet master from authenticated
clients (high)
    It is possible to construct an HTTP get request from an authenticated
    client with a valid certificate that will return the contents of an
arbitrary
    file on the Puppet master that the master has read-access to.

 CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from
authenticated clients (high)
 Given a Puppet master with the "Delete" directive allowed in
auth.conf
 for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
 Puppet master, potentially causing a denial of service attack. Note that
 this vulnerability does *not* exist in Puppet as configured by default.
  CVE-2012-3867 Insufficient input validation for agent hostnames (low)
    An attacker could trick the administrator into signing an
attacker''s
    certificate rather than the intended one by constructing specially
    crafted certificate requests containing specific ANSI control sequences.
    It is possible to use the sequences to rewrite the order of text
displayed
    to an administrator such that display of an invalid certificate and
valid
    certificate are transposed. If the administrator signs the
attacker''s
    certificate, the attacker can then man-in-the-middle the agent.

2.6.17 Changelog
 ============    554eefc Reject directory traversal in store report processor
    9607bd7 Use "inspect" when listing certificates
    0144e68 Don''t allow the creation of SSL objects with invalid
certnames
    dfedaa5 Validate CSR CN and provided certname before signing
    8eb0cd8 Add specs for selector terminuses of file_{content,metadata}
    828c16a Fix whitespace inside parentheses
    e7ef153 Always use the local file_bucket on master
    29ae87d Fail more gracefully when finding module files if no file is
specified
    c872619 Reject file requests containing ..
    c3c7462 Add Selector terminus for file_content/file_metadata

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.