[SECURITY] Fedora 17 Update: puppet-2.7.18-1.fc17
updates at fedoraproject.org
updates at fedoraproject.org
Sat Jul 28 01:20:31 UTC 2012
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-10891
2012-07-20 01:26:38
--------------------------------------------------------------------------------
Name : puppet
Product : Fedora 17
Version : 2.7.18
Release : 1.fc17
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
--------------------------------------------------------------------------------
Update Information:
This is an upstream security release. It addresses a number of issues found in puppet-2.7.x. The Red Hat security team has rated this update as having low security impact.
Refer to the upstream release notes and bugzilla entries for further details.
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.18
NetworkManager compatibility should be improved in this release, thanks to Orion Poplawski (any bugs in implementing Orion's suggested dispatcher script are my own).
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jul 11 2012 Todd Zullinger <tmz at pobox.com> - 2.7.18-1
- Update to 2.7.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3866,
CVE-2012-3867
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #839130 - CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839130
[ 2 ] Bug #839131 - CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master
https://bugzilla.redhat.com/show_bug.cgi?id=839131
[ 3 ] Bug #839135 - CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
https://bugzilla.redhat.com/show_bug.cgi?id=839135
[ 4 ] Bug #839158 - CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests
https://bugzilla.redhat.com/show_bug.cgi?id=839158
[ 5 ] Bug #839166 - CVE-2012-3408 puppet: possible host impersonation when using certificates issues for IP address
https://bugzilla.redhat.com/show_bug.cgi?id=839166
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list