Summary: | <app-admin/mcollective-2.5.3: Unauthorized access to MCO via AES Security Plugin (CVE-2014-3251) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2014-07-17 06:41:22 UTC
Arches, please test and mark stable the following =app-admin/mcollective-2.5.3 amd64 x86 x86 stable, thanks. amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. CVE-2014-3251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3251): The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request This issue was resolved and addressed in GLSA 201412-15 at http://security.gentoo.org/glsa/glsa-201412-15.xml by GLSA coordinator Sean Amoss (ackle). |