[puppet/el4] Update to 0.25.6, fixes CVE-2011-3872
Todd Zullinger
tmz at fedoraproject.org
Mon Oct 24 21:57:31 UTC 2011
commit 58b7ea82bb50ace636c3ce3bc1be2f649217ba9b
Author: Todd Zullinger <tmz at pobox.com>
Date: Sat Oct 22 10:46:00 2011 -0400
Update to 0.25.6, fixes CVE-2011-3872
...2-Predictable-temporary-filename-in-ralsh.patch | 69 ----------
0.25.x-9791-TOCTOU-in-ssh-auth-keys-type.patch | 50 -------
...gin-can-overwrite-arbitrary-files-as-root.patch | 40 ------
...Resist-directory-traversal-attacks-0.25.x.patch | 140 --------------------
puppet-0.25.5.tar.gz.sign | 17 ---
puppet-0.25.6.tar.gz.asc | 17 +++
puppet.spec | 23 +---
sources | 2 +-
8 files changed, 25 insertions(+), 333 deletions(-)
---
diff --git a/puppet-0.25.6.tar.gz.asc b/puppet-0.25.6.tar.gz.asc
new file mode 100644
index 0000000..8e3bd3c
--- /dev/null
+++ b/puppet-0.25.6.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQIcBAABAgAGBQJOomPIAAoJEBBUt6JL1uwwKlcP/0HZMCUIqlBziN07Pa/CGPvk
+K75d1qmthqOmMGX3bQJOBr2dDi0B+Lx4doSRimR2CdfMTW7sX6CJ2BSD/BkXy1FK
+xlKZxtdlS6ps7elVPXMryO2zbb3Z4P93dBjUGpf8ydQ/ph+7jrpaP8Y/NgINn3Af
+rc92qTqzBqcbM988J+NQo2VS0QoZkNNcnMXrzM7BW/fT4XidBQ8HG7IgYik7OyYU
+TNPYkd+C0LBA5BBbvOM7DcS0VtzHBvEcSTDXfuXIcZVME1PWKgOw93a6XxeukzgO
+5bFJHj/nap6/sRP9DrX1nk2zYUF9EZkZYXaXMOSlTX33It1Ssu8nthf67O91yiZg
+ZUGZXXFZEy8uEFEJKw/hBn4sO9zpxkRR+VWEgwhg+4tDseIlhozxFDp0cDGpyTM6
+zTdN+Ku9nHyrwZE1HXNIJM5+kXfuLwiHrrmzOyX+PYywgJn2+imAER4CRbbeFHaC
+BEJ8m90APi9aYiKWMYHAKnpHcGIzFR9FMVqDw5xmV3lXd8IoPZY76Wb0gBjF6ENK
+S8FIEC1zJk2Ice4+BQL2/cdmluCD5VTvm3VodeBumkeZWUlvYxrPKCW8Yn7RCfgM
+PxmoRrapBUcaymrtBdqfuMkFD5tB7AabVvOkaO15vV91/B8d8Q7q5Bus9CrTIUiZ
+O9ol9DcCBTi9y2cb0BHf
+=iOa/
+-----END PGP SIGNATURE-----
diff --git a/puppet.spec b/puppet.spec
index aed6a44..c0a06d3 100644
--- a/puppet.spec
+++ b/puppet.spec
@@ -5,13 +5,13 @@
%global confdir conf/redhat
Name: puppet
-Version: 0.25.5
-Release: 2%{?dist}
+Version: 0.25.6
+Release: 1%{?dist}
Summary: A network tool for managing many disparate systems
License: GPLv2+
URL: http://puppetlabs.com
-Source0: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz
-Source1: http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz.sign
+Source0: http://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.gz
+Source1: http://downloads.puppetlabs.com/%{name}/%{name}-%{version}.tar.gz.asc
# http://projects.puppetlabs.com/issues/show/4252
# https://bugzilla.redhat.com/show_bug.cgi?id=615175
Patch0: puppet-0.25.5-yumrepo-deprecation-warning.patch
@@ -19,14 +19,6 @@ Patch0: puppet-0.25.5-yumrepo-deprecation-warning.patch
Patch1: puppet-0.25.5-puppet.conf-line-endings.patch
# http://projects.puppetlabs.com/issues/2359
Patch2: puppet-0.25.5-capture-stderr-from-exec.patch
-# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3848
-Patch3: 0001-Resist-directory-traversal-attacks-0.25.x.patch
-# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3871
-Patch4: 0.25-9792-Predictable-temporary-filename-in-ralsh.patch
-# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3870
-Patch5: 0.25.x-9791-TOCTOU-in-ssh-auth-keys-type.patch
-# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3869
-Patch6: 0.25.x-9794-k5login-can-overwrite-arbitrary-files-as-root.patch
Group: System Environment/Base
@@ -84,10 +76,6 @@ The server can also function as a certificate authority and file server.
%patch0 -p1
%patch1 -p1
%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
patch -p1 < conf/redhat/rundir-perms.patch
%build
@@ -244,6 +232,9 @@ fi
rm -rf %{buildroot}
%changelog
+* Sat Oct 22 2011 Todd Zullinger <tmz at pobox.com> - 0.25.6-1
+- Update to 0.25.6, fixes CVE-2011-3872
+
* Mon Oct 03 2011 Todd Zullinger <tmz at pobox.com> - 0.25.5-2
- Apply upstream patches for CVE-2011-3848, CVE-2011-3869, CVE-2011-3870,
CVE-2011-3871
diff --git a/sources b/sources
index 592fef7..67e3cbb 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2988385801c967f7262cdf08640c9e07 puppet-0.25.5.tar.gz
+b8f1b58a300bcb2389a7a0612ee5fa05 puppet-0.25.6.tar.gz
More information about the scm-commits
mailing list