Summary: | <app-admin/puppet-2.7.22 : Remote code execution on master from unauthenticated clients (CVE-2013-3567) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2013-06-18 17:32:28 UTC
amd64 hppa ppc sparc x86 all arches, please stabilize puppet 2.7.21-r1 and 2.7.22. Arch teams, please test and mark stable: =app-admin/puppet-2.7.21-r1 app-admin/puppet-2.7.22 Stable KEYWORDS : amd64 hppa ppc sparc x86 Also, who dropped SPARC from 3.*? I don't see a keyword request bug. there's a dependency that needs to be worked out for sparc, bug 449184. I should update that stating I have 3.2.2 in tree now as well. (In reply to Jeroen Roovers from comment #2) > Arch teams, please test and mark stable: > =app-admin/puppet-2.7.21-r1 > app-admin/puppet-2.7.22 > Stable KEYWORDS : amd64 hppa ppc sparc x86 > Only 2.7.22 is fine. amd64 stable ppc stable Stable for HPPA. x86 stable how's sparc doing? sparc stable well, now that we are all stable we have another CVE :D I think we should close in favor of bug 481186 Thanks for you work Added to existing GLSA draft This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte). CVE-2013-3567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3567): Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. |