From ${URL} : An issue exists where sensitive Amazon EC2 IAM instance metadata could be added to an Amazon EC2 node's facts, where a non-privileged local user could access the information via Facter. Although Amazon’s API allows anyone who can access an EC2 instance to view its instance metadata, facts containing sensitive EC2 instance metadata could be unintentionally exposed through off-host applications that display facts. Upstream commit that fixes this: https://github.com/puppetlabs/facter/commit/e546bc546e7fb23ad6b68fcf2059452df4d320dd External References: http://puppetlabs.com/security/cve/cve-2015-1426 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
2.4.1 was already added to the tree. We do have a problem where the ebuild has ruby 2.1 support but it's not stable. Should we revbump it and remove ruby21 so we can stablize it? Here are the arches we will need stable for. amd64 hppa ppc ppc64 sparc x86
This version of facter can now be marked stable: =facter-2.4.1
That should obviously be: =dev-ruby/facter-2.4.1
Stable for HPPA.
ppc64 stable
ppc stable
amd64 stable
sparc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable versions have been removed.
removing self as badness is gone
GLSA Vote: No
GLSA vote: no. Closing as [noglsa]
CVE-2015-1426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1426): Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.