U radu programskog paketa Puppet uočene su tri sigurnosne ranjivosti. Lokalni ih napadač može iskoristiti za zaobilaženje sigurnosnih ograničenja, izmjenu podataka i otkrivanje osjetljivih informacija.
| Paket: | puppet 2.x |
| Operacijski sustavi: | Fedora 16, Fedora 17 |
| Kritičnost: | 5.8 |
| Problem: | neodgovarajuća provjera ulaznih podataka |
| Iskorištavanje: | lokalno |
| Posljedica: | izmjena podataka, otkrivanje osjetljivih informacija, zaobilaženje postavljenih ograničenja |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2012-3864, CVE-2012-3865, CVE-2012-3867 |
| Izvorni ID preporuke: | FEDORA-2012-10897 |
| Izvor: | Fedora |
| Problem: | |
| Spomenute su ranjivosti posljedica neodgovarajuće provjere ulaznih podataka. |
|
| Posljedica: | |
| Napadačima nedostaci omogućuju zaobilaženje sigurnosnih ograničenja, čitanje i izmjenu proizvoljnih datoteka. |
|
| Rješenje: | |
| Korisnicima se savjetuje korištenje novih programskih rješenja. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-10897
2012-07-20 01:26:53
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 16
Version : 2.6.17
Release : 2.fc16
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
This is an upstream security release. It addresses a number of issues found in
puppet-2.6.x. The Red Hat security team has rated this update as having low
security impact.
Refer to the upstream release notes and bugzilla entries for further details.
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.17
NetworkManager compatibility should be improved in this release, thanks to Orion
Poplawski (any bugs in implementing Orion's suggested dispatcher script are my
own).
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jul 19 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.17-2
- Corrected CVE list, 2.6 is not affected by CVE-2012-3866
* Wed Jul 11 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.17-1
- Update to 2.6.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3867
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files
* Wed Apr 11 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.16-1
- Update to 2.6.16, fixes CVE-2012-1986, CVE-2012-1987, and CVE-2012-1988
- Correct permissions of /var/log/puppet (0750)
* Wed Feb 22 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.14-1
- Update to 2.6.14, fixes CVE-2012-1053 and CVE-2012-1054
* Mon Feb 13 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.13-3
- Move rpmlint fixes to %prep, add a few additional fixes
- Bump minimum ruby version to 1.8.5 now that EL-4 is all but dead
- Update install locations for Fedora-17 / Ruby-1.9
- Use ruby($lib) for augeas and shadow requirements
- Only try to run 0.25.x -> 2.6.x pid file updates on EL
* Thu Jan 5 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.13-2
- Revert to minimal patch for augeas >= 0.10 (bz#771097)
* Wed Dec 14 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.13-1
- Update to 2.6.13
- Cherry-pick various augeas fixes from upstream (bz#771097)
* Sun Oct 23 2011 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.6.12-1
- Update to 2.6.12, fixes CVE-2011-3872
- Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244)
- Apply partial fix for upstream #9167 (tagmail report sends email when nothing
happens)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #839130 - CVE-2012-3864 puppet: authenticated clients allowed to
read arbitrary files from the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839130
[ 2 ] Bug #839131 - CVE-2012-3865 puppet: authenticated clients allowed to
delete arbitrary files on the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839131
[ 3 ] Bug #839158 - CVE-2012-3867 puppet: insufficient validation of agent
names in CN of SSL certificate requests
https://bugzilla.redhat.com/show_bug.cgi?id=839158
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-10891
2012-07-20 01:26:38
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 17
Version : 2.7.18
Release : 1.fc17
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
This is an upstream security release. It addresses a number of issues found in
puppet-2.7.x. The Red Hat security team has rated this update as having low
security impact.
Refer to the upstream release notes and bugzilla entries for further details.
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.18
NetworkManager compatibility should be improved in this release, thanks to Orion
Poplawski (any bugs in implementing Orion's suggested dispatcher script are my
own).
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 11 2012 Todd Zullinger <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.7.18-1
- Update to 2.7.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3866,
CVE-2012-3867
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #839130 - CVE-2012-3864 puppet: authenticated clients allowed to
read arbitrary files from the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839130
[ 2 ] Bug #839131 - CVE-2012-3865 puppet: authenticated clients allowed to
delete arbitrary files on the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839131
[ 3 ] Bug #839135 - CVE-2012-3866 puppet: information leak via world readable
last_run_report.yaml
https://bugzilla.redhat.com/show_bug.cgi?id=839135
[ 4 ] Bug #839158 - CVE-2012-3867 puppet: insufficient validation of agent
names in CN of SSL certificate requests
https://bugzilla.redhat.com/show_bug.cgi?id=839158
[ 5 ] Bug #839166 - CVE-2012-3408 puppet: possible host impersonation when
using certificates issues for IP address
https://bugzilla.redhat.com/show_bug.cgi?id=839166
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke