Summary: | <app-admin/puppet-2.7.18: Agent Impersonation (CVE-2012-3408) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | taaroa <taaroa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | matsuu |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://puppetlabs.com/security/cve/cve-2012-3408/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 425112 | ||
Bug Blocks: |
Description
taaroa
2012-07-12 09:03:02 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3408 Status: CLOSED WONTFIX Aliases: CVE-2012-3408 https://bugzilla.redhat.com/show_bug.cgi?id=839166#c5 This was only addressed in 2.7. It was not really fixed, the change rather introduces deprecation warning: https://github.com/puppetlabs/puppet/commit/ab9150b No real fix is planned for this issue in puppet 2.x versions. Hence no update is planned for Red Hat products that include puppet 2.x versions to address this problem. Thanks for the report, taaroa. We will just mark this bug depending on bug 425112 and finish the process there. sorry for delay. 2.7.18 in cvs. please mark stable 2.7.18. CVE-2012-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3408): lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address. Thanks, folks. GLSA Vote: no. GLSA vote: no. Closing noglsa. |