Summary: | <app-admin/puppet-agent-1.3.6: improper validation of SSL certificates with bundled openssl 1.0.2g | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://puppetlabs.com/security/cve/CVE-2016-2786?_ga=1.177264613.155710425.1458031774 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2016-03-15 06:10:58 UTC
amd64 stable x86 stable. Maintainer(s), please cleanup. From ${URL}: "The Puppet Communications Protocol included in Puppet Enterprise 2015.3 does not properly validate certificates in all cases. This potentially allows for arbitrary remote code execution on Puppet agent nodes. In PE 2015.3.2 and earlier, the pxp-agent component does not properly validate the server certificate. This makes it possible for an attacker to impersonate a broker and issue commands to the agent, assuming the attacker can force the agent to connect to an arbitrary broker via a secondary attack (DNS spoofing, etc). Default configurations of FOSS Puppet Agent are not vulnerable." New GLSA Request filed. CVE-2016-2786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2786): The Puppet Communications Protocol included in Puppet Enterprise 2015.3 does not properly validate certificates in all cases. This potentially allows for arbitrary remote code execution on Puppet agent nodes. In PE 2015.3.2 and earlier, the pxp-agent component does not properly validate the server certificate. This makes it possible for an attacker to impersonate a broker and issue commands to the agent, assuming the attacker can force the agent to connect to an arbitrary broker via a secondary attack (DNS spoofing, etc). Default configurations of FOSS Puppet Agent are not vulnerable. @maintainer, please cleanup or let us know if it has to wait. We can clean it up as well if you need. Thanks. done (In reply to Matthew Thode ( prometheanfire ) from comment #6) > done GLSA is ready if you want to release it :) This issue was resolved and addressed in GLSA 201606-02 at https://security.gentoo.org/glsa/201606-02 by GLSA coordinator Yury German (BlueKnight) |