Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 577450 (CVE-2016-2786) - <app-admin/puppet-agent-1.3.6: improper validation of SSL certificates with bundled openssl 1.0.2g
Summary: <app-admin/puppet-agent-1.3.6: improper validation of SSL certificates with b...
Status: RESOLVED FIXED
Alias: CVE-2016-2786
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://puppetlabs.com/security/cve/C...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-15 06:10 UTC by Matthew Thode ( prometheanfire )
Modified: 2016-06-05 18:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-15 06:10:58 UTC
Puppet Agent 1.3.6 is now available! This is a security release that
updates OpenSSL to 1.0.2g, and addresses a number of recent CVEs.

arches please stablize and let me know when to clean.
Comment 1 Agostino Sarubbo gentoo-dev 2016-03-15 08:11:48 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-15 08:13:15 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-15 09:04:34 UTC
From ${URL}:

"The Puppet Communications Protocol included in Puppet Enterprise 2015.3 does not properly validate certificates in all cases. This potentially allows for arbitrary remote code execution on Puppet agent nodes.

In PE 2015.3.2 and earlier, the pxp-agent component does not properly validate the server certificate. This makes it possible for an attacker to impersonate a broker and issue commands to the agent, assuming the attacker can force the agent to connect to an arbitrary broker via a secondary attack (DNS spoofing, etc).

Default configurations of FOSS Puppet Agent are not vulnerable."

New GLSA Request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-03-15 09:06:09 UTC
CVE-2016-2786 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2786):
  The Puppet Communications Protocol included in Puppet Enterprise 2015.3 does
  not properly validate certificates in all cases. This potentially allows for
  arbitrary remote code execution on Puppet agent nodes.
  
  In PE 2015.3.2 and earlier, the pxp-agent component does not properly
  validate the server certificate. This makes it possible for an attacker to
  impersonate a broker and issue commands to the agent, assuming the attacker
  can force the agent to connect to an arbitrary broker via a secondary attack
  (DNS spoofing, etc).
  
  Default configurations of FOSS Puppet Agent are not vulnerable.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-24 07:09:42 UTC
@maintainer, please cleanup or let us know if it has to wait.  We can clean it up as well if you need.  Thanks.
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-24 15:41:09 UTC
done
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-24 22:25:29 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #6)
> done

GLSA is ready if you want to release it :)
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2016-06-05 18:41:33 UTC
This issue was resolved and addressed in
 GLSA 201606-02 at https://security.gentoo.org/glsa/201606-02
by GLSA coordinator Yury German (BlueKnight)