| Summary: | app-admin/puppet "certdnsnames" Puppet Master Impersonation Vulnerability (CVE-2011-3872) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | minor | CC: | matsuu |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/46550/ | ||
| Whiteboard: | B3 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
*** This bug has been marked as a duplicate of bug 388161 *** |
From secunia security advisory at $URL: Description: The vulnerability is caused due to the application inserting the puppet master's DNS alt names ("certdnsnames") into the X.509 Subject Alternative Name field of the certificate issued to the puppet agent. This can be exploited to impersonate the puppet master via Man-in-the-Middle (MitM) attacks. Solution: Update to: 2.6.12 and 2.7.6