Summary: | <app-admin/puppet-[2.7.23,3.2.4]: Remote Code Execution (CVE-2013-{4761,4956}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 481214 | ||
Bug Blocks: |
Description
Matthew Thode ( prometheanfire )
2013-08-15 15:15:13 UTC
Stabilisation targets? sorry, yes Please stabilize 2.7.23 for amd64, hppa, ppc, sparc and x86 Arch teams, please test and mark stable: =app-admin/puppet-2.7.23 Targeted stable KEYWORDS : amd64 hppa ppc sparc x86 amd64 stable x86 stable Stable for HPPA. ppc stable sparc stable, last arch, closing Nope, bug doesn't get closed yet. Added to existing Puppet GLSA request. Reclassified as B1 after discussion with ago. This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte). CVE-2013-4956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4956): Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions. CVE-2013-4761 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4761): Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. |