U radu programskog paketa Puppet uočeno je više sigurnosnih propusta. Napadač te propuste može iskoristiti za proizvoljno pokretanje programskog koda, zaobilaženje ograničenja, izmjenu podataka te dobivanje većih ovlasti u sustavu.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-13623
2011-10-01 18:42:21
--------------------------------------------------------------------------------

Name        : puppet
Product     : Fedora 16
Version     : 2.6.6
Release     : 3.fc16
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file  
* CVE-2011-3869, a symlink attack via a user's .k5login file  
* CVE-2011-3871, a privilege escalation attack via the temp file  used by the
puppet resource application  
* A low-risk file indirector injection attack  

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-13636
2011-10-01 23:39:09
--------------------------------------------------------------------------------

Name        : puppet
Product     : Fedora 15
Version     : 2.6.6
Release     : 3.fc15
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file  
* CVE-2011-3869, a symlink attack via a user's .k5login file  
* CVE-2011-3871, a privilege escalation attack via the temp file  used by the
puppet resource application  
* A low-risk file indirector injection attack  

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 29 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-3
- Apply upstream patches for CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, and
  upstream #9793
* Tue Sep 27 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-2
- Apply upstream patch for CVE-2011-3848
* Wed Mar 16 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-1
- Update to 2.6.6
- Ensure %pre exits cleanly
- Fix License tag, puppet is now GPLv2 only
- Create and own /usr/share/puppet/modules (#615432)
- Properly restart puppet agent/master daemons on upgrades from 0.25.x
- Require libselinux-utils when selinux support is enabled
- Support tmpfiles.d for Fedora >= 15 (#656677)
- Apply a few upstream fixes for 0.25.5 regressions
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-13633
2011-10-01 23:39:03
--------------------------------------------------------------------------------

Name        : puppet
Product     : Fedora 14
Version     : 2.6.6
Release     : 3.fc14
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file  
* CVE-2011-3869, a symlink attack via a user's .k5login file  
* CVE-2011-3871, a privilege escalation attack via the temp file  used by the
puppet resource application  
* A low-risk file indirector injection attack  

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
A vulnerability was discovered in puppet that would allow an attacker to install
a valid X509 Certificate Signing Request at any location on disk, with the
privileges of the Puppet Master application.  For Fedora and EPEL, this is the
puppet user.

Further details can be found in the upstream announcement:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406

Unless you enable puppet's listen mode on clients, only the puppet master is
vulnerable to this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 29 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-3
- Apply upstream patches for CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, and
  upstream #9793
* Tue Sep 27 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-2
- Apply upstream patch for CVE-2011-3848
* Wed Mar 16 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-1
- Update to 2.6.6
- Ensure %pre exits cleanly
- Fix License tag, puppet is now GPLv2 only
- Create and own /usr/share/puppet/modules (#615432)
- Properly restart puppet agent/master daemons on upgrades from 0.25.x
- Require libselinux-utils when selinux support is enabled
- Support tmpfiles.d for Fedora >= 15 (#656677)
- Apply a few upstream fixes for 0.25.5 regressions
* Wed Feb  9 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
0.25.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce