From ${URL} : Description Multiple vulnerabilities have been reported in Puppet, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system and by malicious people to compromise a vulnerable system. 1) An unspecified error exists when invoking the "template" or "inline_template" functions while responding to a catalog request and can be exploited to execute arbitrary code via a specially crafted catalog request. 2) An input validation error exists in the application and can be exploited to e.g. gain unauthorized access to arbitrary catalogs from the master. 3) An unspecified error exists in the application and can be exploited to execute arbitrary code on agents via a specially crafted HTTP request. Successful exploitation of this vulnerability requires listening for incoming connections and permission to access the "run" REST endpoint (disabled by default). 4) An error when handling serialized attributes can be exploited to execute arbitrary code. 5) An unspecified error exists in the application and can be exploited to execute arbitrary code via a specially crafted HTTP PUT request. Successful exploitation of this vulnerability on an agent requires "puppet kick" to be enabled. Please see the vendor's advisories for a list of affected versions. Solution Update to a fixed version. Further details available to Secunia VIM customers Provided and/or discovered by Reported by the vendor. Original Advisory Puppet: https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/ https://puppetlabs.com/security/cve/cve-2013-1640/ https://puppetlabs.com/security/cve/cve-2013-1652/ https://puppetlabs.com/security/cve/cve-2013-1653/ https://puppetlabs.com/security/cve/cve-2013-1655/ https://puppetlabs.com/security/cve/cve-2013-2274/
removed unstable from tree, added 2.7.21 and 3.1.1 (have fixes). CCing arch teams for rapid stabilization of 2.7.21 so we can remove the bad stable from tree.
Arch teams, please test and mark stable: =app-admin/puppet-2.7.21 Stable KEYWORDS : amd64 hppa ppc sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
sparc stable
removed =app-admin/puppet-2.7.18 and =app-admin/puppet-2.7.19-r1 (old an jankey) since =app-admin/puppet-2.7.21 is stable (new hotness) removing myself from CC's
Thanks, everyone. New GLSA request filed.
CVE-2013-2275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2275): The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. CVE-2013-2274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2274): Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report. CVE-2013-1655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1655): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." CVE-2013-1654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1654): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. CVE-2013-1653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1653): Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request. CVE-2013-1652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1652): Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. CVE-2013-1640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1640): The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.
This issue was resolved and addressed in GLSA 201308-04 at http://security.gentoo.org/glsa/glsa-201308-04.xml by GLSA coordinator Sergey Popov (pinkbyte).