[SECURITY] Fedora 17 Update: puppet-2.7.18-1.fc17

updates at fedoraproject.org updates at fedoraproject.org
Sat Jul 28 01:20:31 UTC 2012

Fedora Update Notification
2012-07-20 01:26:38

Name        : puppet
Product     : Fedora 17
Version     : 2.7.18
Release     : 1.fc17
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

Update Information:

This is an upstream security release.  It addresses a number of issues found in puppet-2.7.x.  The Red Hat security team has rated this update as having low security impact.

Refer to the upstream release notes and bugzilla entries for further details.


NetworkManager compatibility should be improved in this release, thanks to Orion Poplawski (any bugs in implementing Orion's suggested dispatcher script are my own).

* Wed Jul 11 2012 Todd Zullinger <tmz at pobox.com> - 2.7.18-1
- Update to 2.7.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3866,
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files

  [ 1 ] Bug #839130 - CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
  [ 2 ] Bug #839131 - CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master
  [ 3 ] Bug #839135 - CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
  [ 4 ] Bug #839158 - CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests
  [ 5 ] Bug #839166 - CVE-2012-3408 puppet: possible host impersonation when using certificates issues for IP address

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list