Puppet users - Jul 2012 - Announce: Puppet 2.7.18 Available [ Security Release ]

Puppet 2.7.18 is a security release in the 2.7.x branch.

The security changes in 2.7.18 address CVEs 2012-3864, 2012-3865, 2012-3866
and 2012-3867.

All users of Puppet 2.7.x are encouraged to upgrade when possible to Puppet
2.7.18.

More information available at http://puppetlabs.com/security
or visit http://puppetlabs.com/security/cve/cve-2012-3864,
http://puppetlabs.com/security/cve/cve-2012-3865,
http://puppetlabs.com/security/cve/cve-2012-3866, and
http://puppetlabs.com/security/cve/cve-2012-3867.

Release notes:
https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18

This release available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.7.18.tar.gz

RPM packages are available at https://yum.puppetlabs.com/el or /fedora

Debian packages are available at https://apt.puppetlabs.com

Windows packages are available at
http://downloads.puppetlabs.com/windows/puppet-2.7.18.msi

Mac packages are available at
http://downloads.puppetlabs.com/mac/puppet-2.7.18.dmg

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.18
https://projects.puppetlabs.com/projects/puppet/


# Summary #

CVE-2012-3864 Arbitrary file read on the puppet master from authenticated
clients (high)
    It is possible to construct an HTTP get request from an authenticated
    client with a valid certificate that will return the contents of an
arbitrary
    file on the Puppet master that the master has read-access to.

 CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from
authenticated clients (high)
 Given a Puppet master with the "Delete" directive allowed in
auth.conf
for an authenticated host, an attacker on that host can send a specially
 crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
 this vulnerability does *not* exist in Puppet as configured by default.

 CVE-2012-3866 last_run_report.yaml is world readable (medium)
 The most recent Puppet run report is stored on the Puppet master
 with world-readable permissions. The report file contains the context
 diffs of any changes to configuration on an agent, which may contain
 sensitive information that an attacker can then access. The last run
 report is overwritten with every Puppet run.
 Arbitrary file read on the Puppet master by an agent (medium)
    This vulnerability is dependent upon CVE-2012-3866 "last_run_report.yml
    is world readable" above. By creating a hard link of a Puppet-managed
    file to an arbitrary file that the Puppet master can read, an attacker
forces
    the contents to be written to the puppet run summary. The context diff
is
    stored in last_run_report.yaml, which can then be accessed by the
    attacker.

 CVE-2012-3867 Insufficient input validation for agent hostnames (low)
    An attacker could trick the administrator into signing an
attacker''s
    certificate rather than the intended one by constructing specially
    crafted certificate requests containing specific ANSI control sequences.
    It is possible to use the sequences to rewrite the order of text
displayed
    to an administrator such that display of an invalid certificate and
valid
    certificate are transposed. If the administrator signs the
attacker''s
    certificate, the attacker can then man-in-the-middle the agent.

 Agents with certnames of IP addresses can be impersonated (low)
    If an authenticated host with a certname of an IP address changes IP
    addresses, and a second host assumes the first host''s former IP
    address, the second host will be treated by the puppet master as the
    first one, giving the second host access to the first host''s
catalog.
    Note: This will not be fixed in Puppet versions prior to the forthcoming
    3.x. Instead, with this Puppet 2.7.18, IP-based authentication in
    Puppet < 3.x is deprecated, and a warning will be issued when used.

 2.7.18 Changelog
 ============    d804782 Reject directory traversal in store report processor
    fd44bf5 Tighten permissions on classfile, resourcefile, lastrunfile,
and lastrunreport.
    4d7c9fd Use "inspect" when listing certificates
    bd2820e Don''t allow the creation of SSL objects with invalid
certnames
    f341962 Validate CSR CN and provided certname before signing
    38c5a4e Add specs for selector terminuses of file_{content,metadata}
    9e920a8 Fix whitespace inside parentheses
    2d01c2b Use head method to determine if file is in file bucket
    40ee670 Always use the local file_bucket on master
    d881b4b Fail more gracefully when finding module files if no file is
specified
    20ab0e9 Reject file requests containing ..
    10f6cb8 Add Selector terminus for file_content/file_metadata
    ab9150b Deprecate IP-based authentication

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.