Summary: | <app-admin/puppet-2.6.10: directory traversal (CVE-2011-3848) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Marlowe (RETIRED) <mattm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | matsuu |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 385149 | ||
Bug Blocks: |
Description
Matthew Marlowe (RETIRED)
2011-09-29 00:02:45 UTC
2.6.10 and 2.7.4 in cvs. please mark stable =app-admin/puppet-2.6.10. (In reply to comment #1) > 2.6.10 and 2.7.4 in cvs. > please mark stable =app-admin/puppet-2.6.10. Great, thank you. Arches, please test and mark stable: =app-admin/puppet-2.6.10 Target keywords : "amd64 hppa ppc sparc x86" amd64: pass amd64 stable @remaining arches, Please continue in bug 385149. =app-admin/puppet-2.6.11 stabilization completed in bug 385149. GLSA Vote: yes. CVE-2011-3848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3848): Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25. On existing GLSA draft. This issue was resolved and addressed in GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml by GLSA coordinator Sean Amoss (ackle). |