[SECURITY] Fedora EPEL 4 Update: puppet-0.25.5-2.el4

updates at fedoraproject.org updates at fedoraproject.org
Mon Oct 24 15:39:55 UTC 2011 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2011-4581
2011-10-04 18:02:39
--------------------------------------------------------------------------------

Name        : puppet
Product     : Fedora EPEL 4
Version     : 0.25.5
Release     : 2.el4
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

--------------------------------------------------------------------------------
Update Information:

The following vulnerabilities have been discovered and fixed:

    * CVE-2011-3848, a directory traversal attack
    * CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
    * CVE-2011-3869, a symlink attack via a user's .k5login file
    * CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application
    * A low-risk file indirector injection attack

Further details can be found in the upstream announcements:

http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740feb9406  
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb

Additionally, fixes for several bugs are included:

    * Yumrepo deprecation error (http://projects.puppetlabs.com/issues/4252)
    * Handle CR/LF in puppet.conf (http://projects.puppetlabs.com/issues/3514)
    * Capture stderr from exec resources (http://projects.puppetlabs.com/issues/2359)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #742644 - CVE-2011-3870 puppet: SSH authorized_keys symlink attack
        https://bugzilla.redhat.com/show_bug.cgi?id=742644
  [ 2 ] Bug #742645 - CVE-2011-3869 puppet: K5login content attack
        https://bugzilla.redhat.com/show_bug.cgi?id=742645
  [ 3 ] Bug #742649 - CVE-2011-3871 puppet: predictable temporary file using RAL
        https://bugzilla.redhat.com/show_bug.cgi?id=742649
  [ 4 ] Bug #742174 - CVE-2011-3848 puppet: Directory traversal attack by processing certain x509 certificate signing requests
        https://bugzilla.redhat.com/show_bug.cgi?id=742174
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list