Summary: | <app-admin/puppet-2.7.21: multiple vulnerabilities (CVE-2013-{1640,1652,1653,1654,1655,2274,2275}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ruby, sysadmin |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/52596/ | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-13 17:11:26 UTC
removed unstable from tree, added 2.7.21 and 3.1.1 (have fixes). CCing arch teams for rapid stabilization of 2.7.21 so we can remove the bad stable from tree. Arch teams, please test and mark stable: =app-admin/puppet-2.7.21 Stable KEYWORDS : amd64 hppa ppc sparc x86 Stable for HPPA. amd64 stable x86 stable ppc stable sparc stable removed =app-admin/puppet-2.7.18 and =app-admin/puppet-2.7.19-r1 (old an jankey) since =app-admin/puppet-2.7.21 is stable (new hotness) removing myself from CC's Thanks, everyone. New GLSA request filed. CVE-2013-2275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2275): The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. CVE-2013-2274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2274): Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. CVE-2013-1655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1655): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." CVE-2013-1654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1654): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. CVE-2013-1653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1653): Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. CVE-2013-1652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1652): Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. CVE-2013-1640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1640): The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte). |