stable

puppet-2.6.6-3.el6

FEDORA-EPEL-2011-4568 created by tmz 13 years ago for Fedora EPEL 6

The following vulnerabilities have been discovered and fixed:

  • CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
  • CVE-2011-3869, a symlink attack via a user's .k5login file
  • CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application
  • A low-risk file indirector injection attack

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue. A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue. A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue. A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue. A vulnerability was discovered in puppet that would allow an attacker to install a valid X509 Certificate Signing Request at any location on disk, with the privileges of the Puppet Master application. For Fedora and EPEL, this is the puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is vulnerable to this issue.

This update has been submitted for testing by tmz.

13 years ago

This update has been pushed to testing

13 years ago
User Icon elwell commented & provided feedback 13 years ago
karma

Working OK on our testbed (EPEL6 machines)

User Icon stahnma commented & provided feedback 13 years ago
karma

Works for me.

Working well for me.

karma: +1

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

13 years ago

This update has been submitted for stable by tmz.

13 years ago

This update has been pushed to stable

13 years ago

Please login to add feedback.

Metadata
Type
security
Karma
2
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
13 years ago
in testing
13 years ago
in stable
13 years ago

Automated Test Results