Moses Mendoza
2013-Feb-14 00:55 UTC
[Puppet Users] Puppet Enterprise hotfixes for CVE-2013-0277, CVE-2013-0263, CVE-2013-0269, and CVE-2013-0169.
Security vulnerabilities have been disclosed in Ruby on Rails, Rack, the JSON rubygem, and certain cryptographic protocols used in OpenSSL, assigned CVEs CVE-2013-0277, CVE-2013-0263, CVE-2013-0269 and CVE-2013-0169, respectively. These vulnerabilities affect Puppet Enterprise. CVE-2013-0277 affects the 2.3 and 3.0 series of Rails. The vulnerability allows an attacker to cause deserialization of arbitrary YAML. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277. CVE-2013-0263 affects session cookie handling in Rack. The vulnerability exposes Rack to privilege escalation and arbitrary code execution. CVE details can be found at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263. CVE-2013-0269 affects all versions of the JSON gem. This vulnerability exposes Ruby on Rails to SQL injection and denial of service attacks. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269. CVE-2013-0169 affects the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in various cryptographic libraries and products, including OpenSSL, OpenJDK, PolarSSL. This vulnerability allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks. This CVE affects Puppet Enterprise Solaris and Windows agents only, as the agent packages for these platforms ship with a built-in version of OpenSSL that is vulnerable. CVE details on the vulnerability can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169. Puppet Labs has generated security hotfixes patching the vulnerability for the latest in the 1.x series and 2.x series of Puppet Enterprise. These can be downloaded from the Puppet Labs security pages for these events: http://puppetlabs.com/security/cve/cve-2013-0277 http://puppetlabs.com/security/cve/cve-2013-0263 http://puppetlabs.com/security/cve/cve-2013-0269 http://puppetlabs.com/security/cve/cve-2013-0169 Note: in the case of the pe-puppet-dashboard package, the updated package contains security fixes for CVEs CVE-2013-0277, CVE-2013- 263, and CVE-2013-0269. For consistency the package appears in all three CVE folders, but only one installation of pe-puppet-dashboard is necessary. These security fixes will also be included in forthcoming patch releases of Puppet Enterprise, versions 1.2.7 and 2.7.2. If you have any questions or comments, please get in touch with Puppet Labs Support. We always want your feedback! Regards, Moses Mendoza Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.