Matthaus Owens
2013-Jan-09 01:17 UTC
[Puppet Users] Puppet Enterprise hotfixes for ActionPack vulnerability [ CVE-2013-0156 ]
Good day, A security vulnerability has been discovered in Ruby on Rails, specifically in all versions of ActionPack. It is assigned CVE-2013-0156. The vulnerability exposes Puppet Dashboard to arbitrary SQL Injection. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156 Additional detailed information can be found in the following post: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ Puppet Labs has generated security hotfixes patching the vulnerability for the latest in the 1.x series and 2.x series of Puppet Enterprise. These can be downloaded from the Puppet Labs security page: http://puppetlabs.com/security/cve/cve-2013-0156/. These security fixes will also be included in the forthcoming patch releases of Puppet Enterprise, versions 1.2.6 (security only) and 2.7.1 (security and bug fix). If you have any questions or comments, please get in touch with Puppet Labs Support. We always want your feedback! -- Matthaus Owens Release Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.