U radu programskog paketa Puppet uočeno je više sigurnosnih ranjivosti. Zloćudni korisnik ih može iskoristiti za proizvoljno izvršavanje programskog koda, zaobilaženje ograničenja, dobivanje većih privilegija te izmjenu podataka.
| Paket: | puppet 0.x |
| Operacijski sustavi: | Fedora 14, Fedora 15, Fedora 16 |
| Kritičnost: | 5.5 |
| Problem: | pogreška u programskoj komponenti |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | dobivanje većih privilegija, izmjena podataka, proizvoljno izvršavanje programskog koda, zaobilaženje postavljenih ograničenja |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-3872, CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, CVE-2011-3848 |
| Izvorni ID preporuke: | FEDORA-2011-14994 |
| Izvor: | Fedora |
| Problem: | |
| Problemi sigurnosti se javljaju zbog pogreške u datotekama ".k5login" i "authorized_keys", pogreške prilikom "--edit" načina rada, pogrešnog rukovanja certifikatima, itd. |
|
| Posljedica: | |
| Zloćudni korisnik navedene ranjivosti može iskoristiti za izmjenu podataka, zaobilaženje ograničenja, dobivanje većih ovlasti te proizvoljno pokretanje programskog koda. |
|
| Rješenje: | |
| Svim se korisnicima navedenog programskog paketa preporučuje njegova nadogradnja na novije inačice. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-14994
2011-10-27 03:28:55
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 15
Version : 2.6.12
Release : 1.fc15
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
A bug in puppet's SSL certificate handling could allow nodes with a valid
certificate to impersonate the puppet master. To be vulnerable, a user would
have had to set the certdnsnames variable and generated certificates. This
setting is not set by default in the Fedora/EPEL packages.
This update closes the vulnerability in newly generated certificates, but cannot
prevent existing certificates from being used to exploit the vulnerability.
Please refer to the upstream documentation for more details on mitigation and
remediation of this issue, if you have generate certificates that are vulnerable
to this issue:
http://puppetlabs.com/security/cve/cve-2011-3872/
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 23 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.12-1
- Update to 2.6.12, fixes CVE-2011-3872
- Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244)
- Apply partial fix for upstream #9167 (tagmail report sends email when nothing
happens)
* Thu Sep 29 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-3
- Apply upstream patches for CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, and
upstream #9793
* Tue Sep 27 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-2
- Apply upstream patch for CVE-2011-3848
* Wed Mar 16 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-1
- Update to 2.6.6
- Ensure %pre exits cleanly
- Fix License tag, puppet is now GPLv2 only
- Create and own /usr/share/puppet/modules (#615432)
- Properly restart puppet agent/master daemons on upgrades from 0.25.x
- Require libselinux-utils when selinux support is enabled
- Support tmpfiles.d for Fedora >= 15 (#656677)
- Apply a few upstream fixes for 0.25.5 regressions
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15000
2011-10-27 03:29:06
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 14
Version : 2.6.12
Release : 1.fc14
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
A bug in puppet's SSL certificate handling could allow nodes with a valid
certificate to impersonate the puppet master. To be vulnerable, a user would
have had to set the certdnsnames variable and generated certificates. This
setting is not set by default in the Fedora/EPEL packages.
This update closes the vulnerability in newly generated certificates, but cannot
prevent existing certificates from being used to exploit the vulnerability.
Please refer to the upstream documentation for more details on mitigation and
remediation of this issue, if you have generate certificates that are vulnerable
to this issue:
http://puppetlabs.com/security/cve/cve-2011-3872/
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 23 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.12-1
- Update to 2.6.12, fixes CVE-2011-3872
- Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244)
- Apply partial fix for upstream #9167 (tagmail report sends email when nothing
happens)
* Thu Sep 29 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-3
- Apply upstream patches for CVE-2011-3869, CVE-2011-3870, CVE-2011-3871, and
upstream #9793
* Tue Sep 27 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-2
- Apply upstream patch for CVE-2011-3848
* Wed Mar 16 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.6-1
- Update to 2.6.6
- Ensure %pre exits cleanly
- Fix License tag, puppet is now GPLv2 only
- Create and own /usr/share/puppet/modules (#615432)
- Properly restart puppet agent/master daemons on upgrades from 0.25.x
- Require libselinux-utils when selinux support is enabled
- Support tmpfiles.d for Fedora >= 15 (#656677)
- Apply a few upstream fixes for 0.25.5 regressions
* Wed Feb 9 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
0.25.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-14880
2011-10-25 03:03:01
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 16
Version : 2.6.12
Release : 1.fc16
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
A bug in puppet's SSL certificate handling could allow nodes with a valid
certificate to impersonate the puppet master. To be vulnerable, a user would
have had to set the certdnsnames variable and generated certificates. This
setting is not set by default in the Fedora/EPEL packages.
This update closes the vulnerability in newly generated certificates, but cannot
prevent existing certificates from being used to exploit the vulnerability.
Please refer to the upstream documentation for more details on mitigation and
remediation of this issue, if you have generate certificates that are vulnerable
to this issue:
http://puppetlabs.com/security/cve/cve-2011-3872/
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 23 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.12-1
- Update to 2.6.12, fixes CVE-2011-3872
- Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244)
- Apply partial fix for upstream #9167 (tagmail report sends email when nothing
happens)
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke