From $URL : /var/log/puppet is world readable and may contain sensitive information Also the files contained within are world readable. Version-Release number of selected component (if applicable): puppet-2.6.14-1.el6.noarch puppet-2.6.17-2.el6.noarch
I don't think we are hit by this (my puppet is 2.7.18 and /var/log/puppet is not world readable). The oldest puppet we have in tree is 2.7.18.
(In reply to comment #1) > I don't think we are hit by this (my puppet is 2.7.18 and /var/log/puppet is > not world readable). The oldest puppet we have in tree is 2.7.18. the logdir become not world-readable only after you start puppetmaster. If you start only puppet it remains world readable. amd64box ~ # /etc/init.d/puppet start * Caching service dependencies ... [ ok ] * Starting puppet ... amd64box ~ # ls -la /var/log/puppet/ totale 8 drwxr-xr-x 2 puppet puppet 4096 8 feb 16.49 . drwxr-xr-x 16 root root 4096 8 feb 16.49 .. -rw-r--r-- 1 puppet puppet 0 8 feb 16.49 .keep_app-admin_puppet-0 amd64box ~ # /etc/init.d/puppetmaster start * Starting puppetmaster ... amd64box ~ # ls -la /var/log/puppet/ totale 16 drwxr-x--- 2 puppet puppet 4096 8 feb 16.50 . drwxr-xr-x 16 root root 4096 8 feb 16.49 .. -rw-r--r-- 1 puppet puppet 0 8 feb 16.49 .keep_app-admin_puppet-0 -rw-rw---- 1 puppet puppet 5377 8 feb 16.50 masterhttp.log
fix is in tree (all the r1 packages). I think we should probably stablereq at least 2.7.18-r1.
it may be easier to make 2.7.19-r1 as the one we mark stable, this would also get add ruby19 support, which ago wants. only ebuild with the CVE is puppet-2.7.18 right now.
does the sec team cc people to mark stuff stable or what (so we can finally solve this bug)?
(In reply to comment #5) > does the sec team cc people to mark stuff stable or what (so we can finally > solve this bug)? We can, you can, anyone can :) (In reply to comment #4) > it may be easier to make 2.7.19-r1 as the one we mark stable, this would > also get add ruby19 support, which ago wants. > > only ebuild with the CVE is puppet-2.7.18 right now. Excellent. Arches, please test and mark stable =app-admin/puppet-2.7.19-r1
ppc stable
amd64 stable
x86 stable
hppa stable
sparc stable
unsubscribing. readd if needed
I'm just going to add this on to the GLSA draft with bug 461656.
CVE-2012-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6120): Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directory with world-readable permissions, which allows local users to obtain sensitive information such as Puppet log files.
This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte).