Summary: | <app-admin/puppet-4.10.1: Unsafe YAML deserialization | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | prometheanfire, ruby, sysadmin |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1452651 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
app-admin/puppet-4.10.1 amd64 hppa x86
app-admin/puppet-agent-1.10.1 amd64 x86
dev-ruby/rgen-0.8.0 x86
dev-ruby/hiera-3.2.2 x86
dev-ruby/deep_merge-1.0.1 x86
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-05-20 08:19:27 UTC
yep, arches, please stabilize. An automated check of this bug failed - the following atom is unknown: app-admin/puppet-agent-4.10.1 Please verify the atom list. An automated check of this bug failed - repoman reported dependency errors (17 lines truncated):
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: RDEPEND: x86(default/linux/x86/13.0) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
> dependency.bad app-admin/puppet/puppet-4.10.1.ebuild: DEPEND: x86(default/linux/x86/13.0/desktop) ['>=dev-ruby/rgen-0.6.5[ruby_targets_ruby21]', 'dev-ruby/hiera[ruby_targets_ruby22]', '>=dev-ruby/rgen-0.6.5[ruby_targets_ruby22]']
@ruby, are you fine with those packages getting stabilized as well? (In reply to Matthew Thode ( prometheanfire ) from comment #4) > @ruby, are you fine with those packages getting stabilized as well? Note that these are only needed for x86 and x86 currently does not have a stable puppet version at all. No problem from my side. I have updated the package list accordingly. An automated check of this bug failed - the following atom is unknown: dev-ruby/deep-merge-1.0.1 Please verify the atom list. amd64 stable x86 stable Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR stable.......... bman, stable hppa? (it's still cc'd) (In reply to Matthew Thode ( prometheanfire ) from comment #11) > bman, stable hppa? (it's still cc'd) Yup you should probably remove hppa from cc :P (I'm doing that this time) readding hppa, wrong version stabilized hppa stable Stabilization done, thank you arches. @ Maintainer(s): Please clean vulnerable versions from tree. @ Security: Please vote on glsa. cleaned up |