Summary: | <app-admin/puppet-{2.6.12,2.7.6} puppetmaster impersonation flaw (CVE-2011-3872) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Marlowe (RETIRED) <mattm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ago, matsuu |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Marlowe (RETIRED)
![]() This time frame is likely too short for a prestabling, but let's try. matsuu, please prepare an ebuild for 2.6.12 based on the distfile below and attach it to this bug. Do NOT commit anything to CVS until the embargo is lifted. We'll do prestabling on this bug. This is public now as per $URL. matsuu, update now directly to CVS please. *** Bug 388449 has been marked as a duplicate of this bug. *** 2.6.12 and 2.7.6 in cvs. please mark stable puppet-2.6.12 Thanks. Arches please test and mark stable: =app-admin/puppet-2.6.12 target KEYWORDS : "amd64 hppa ppc sparc x86" amd64 ok ditto Ago Stable for HPPA. amd64 done. Thanks Agostino and Ian x86 stable sparc stable ppc done; closing as last arch Please not close security bug. Added glsa vote request. Thanks, everyone. GLSA Vote: yes. CVE-2011-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3872): Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability." On existing GLSA draft. This issue was resolved and addressed in GLSA 201203-03 at http://security.gentoo.org/glsa/glsa-201203-03.xml by GLSA coordinator Sean Amoss (ackle). |