Moses Mendoza
2013-Jan-16 00:34 UTC
[Puppet Users] Puppet Enterprise hotfixes for ActiveRecord vulnerability [ CVE-2013-0155 ]
Good day, A security vulnerability has been disclosed in Ruby on Rails, specifically in all versions of ActiveRecord, assigned CVE-2013-0155. An earlier Rails advisory of this vulnerability mistakenly stated that the version of ActiveRecord used in Puppet Enterprise was not affected. The vulnerability exposes ActiveRecord to unsafe SQL query generation. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155 Additional detailed information can be found in the following post: https://groups.google.com/group/rubyonrails-security/browse_thread/thread/73b8d3f8478df5e2 Puppet Labs has generated security hotfixes patching the vulnerability for the latest in the 1.x series and 2.x series of Puppet Enterprise. These can be downloaded from the Puppet Labs security page: http://puppetlabs.com/security/cve/cve-2013-0155/. These security fixes will also be included in the forthcoming patch releases of Puppet Enterprise, versions 1.2.6 (security only) and 2.7.1 (security and bug fix). If you have any questions or comments, please get in touch with Puppet Labs Support. We always want your feedback! Regards, Moses Mendoza Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.