[SECURITY] Fedora 16 Update: puppet-2.6.17-2.fc16

updates at fedoraproject.org updates at fedoraproject.org
Sat Jul 28 01:17:34 UTC 2012

Fedora Update Notification
2012-07-20 01:26:53

Name        : puppet
Product     : Fedora 16
Version     : 2.6.17
Release     : 2.fc16
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

Update Information:

This is an upstream security release.  It addresses a number of issues found in puppet-2.6.x.  The Red Hat security team has rated this update as having low security impact.

Refer to the upstream release notes and bugzilla entries for further details.


NetworkManager compatibility should be improved in this release, thanks to Orion Poplawski (any bugs in implementing Orion's suggested dispatcher script are my own).

* Thu Jul 19 2012 Todd Zullinger <tmz at pobox.com> - 2.6.17-2
- Corrected CVE list, 2.6 is not affected by CVE-2012-3866
* Wed Jul 11 2012 Todd Zullinger <tmz at pobox.com> - 2.6.17-1
- Update to 2.6.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3867
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files
* Wed Apr 11 2012 Todd Zullinger <tmz at pobox.com> - 2.6.16-1
- Update to 2.6.16, fixes CVE-2012-1986, CVE-2012-1987, and CVE-2012-1988
- Correct permissions of /var/log/puppet (0750)
* Wed Feb 22 2012 Todd Zullinger <tmz at pobox.com> - 2.6.14-1
- Update to 2.6.14, fixes CVE-2012-1053 and CVE-2012-1054
* Mon Feb 13 2012 Todd Zullinger <tmz at pobox.com> - 2.6.13-3
- Move rpmlint fixes to %prep, add a few additional fixes
- Bump minimum ruby version to 1.8.5 now that EL-4 is all but dead
- Update install locations for Fedora-17 / Ruby-1.9
- Use ruby($lib) for augeas and shadow requirements
- Only try to run 0.25.x -> 2.6.x pid file updates on EL
* Thu Jan  5 2012 Todd Zullinger <tmz at pobox.com> - 2.6.13-2
- Revert to minimal patch for augeas >= 0.10 (bz#771097)
* Wed Dec 14 2011 Todd Zullinger <tmz at pobox.com> - 2.6.13-1
- Update to 2.6.13
- Cherry-pick various augeas fixes from upstream (bz#771097)
* Sun Oct 23 2011 Todd Zullinger <tmz at pobox.com> - 2.6.12-1
- Update to 2.6.12, fixes CVE-2011-3872
- Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244)
- Apply partial fix for upstream #9167 (tagmail report sends email when nothing

  [ 1 ] Bug #839130 - CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
  [ 2 ] Bug #839131 - CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master
  [ 3 ] Bug #839158 - CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list