CVE-2017-10690 (https://nvd.nist.gov/vuln/detail/CVE-2017-10690): In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4 CVE-2017-10689 (https://nvd.nist.gov/vuln/detail/CVE-2017-10689): In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fd809578e8eb73ac6552cf1074ab8b68434de64 commit 2fd809578e8eb73ac6552cf1074ab8b68434de64 Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2018-02-16 01:27:34 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2018-02-16 01:28:13 +0000 app-admin/puppet-agent: removing old for CVE-2017-{10689,10690} Bug: https://bugs.gentoo.org/647820 Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-admin/puppet-agent/Manifest | 6 -- app-admin/puppet-agent/puppet-agent-1.10.10.ebuild | 2 +- app-admin/puppet-agent/puppet-agent-1.10.9.ebuild | 111 --------------------- .../puppet-agent/puppet-agent-5.3.3-r2.ebuild | 86 ---------------- app-admin/puppet-agent/puppet-agent-5.3.3.ebuild | 104 ------------------- app-admin/puppet-agent/puppet-agent-5.3.4.ebuild | 2 +- 6 files changed, 2 insertions(+), 309 deletions(-)}
Downgraded to B4 due to information leak and world writable permissions. GLSA Vote: No