0005090: Upgrade Puppet to 2.7.22 due to security issues

Project:

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0005090

[puppet] upgrade

major

N/A

2013-07-11 00:43

2013-07-12 02:18

Reporter

wcooley

View Status

public

Assigned To

markp

Priority

normal

Resolution

fixed

Status

closed

Summary

0005090: Upgrade Puppet to 2.7.22 due to security issues

Description

Please upgrade Puppet to 2.7.22; dublin has only 2.7.14 and kiel has only 2.7.21.

Versions prior to 2.7.22 have the following vulnerability:
"Unauthenticated Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-3567/ [^]

Prior to 2.7.21:
"Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-1640/ [^]

"Unauthenticated Remote Code Execution Vulnerability"
  http://puppetlabs.com/security/cve/cve-2013-1655/ [^]

Prior to 2.7.18:
"Arbitrary file read on the puppet master from authenticated clients"
  http://docs.puppetlabs.com/puppet/2.7/reference/release_notes.html#security-fixes [^]

There are several other security vulnerabilities covered in these releases, but these seemed to be the most pressing.

Additional Information

Tags

No tags attached.

Relationships

Notes
(0010490) markp (developer) 2013-07-11 19:38	Umm, live catalog has 2.7.22.... http://www.opencsw.org/packages/CSWpuppet/ [^]

(0010491) maciej (reporter) 2013-07-12 02:18	I think the problem the reporter was referring to, is the combination of these two things: 1. curl -s http://www.opencsw.org/get-it/releases/ [^] \| grep -i production <p>As of 2012, dublin is recommended for production systems.</p> 2. curl -s http://mirror.opencsw.org/opencsw/dublin/i386/5.10/catalog [^] \| awk '$1 == "puppet" { print $4 }' puppet-2.7.14,REV=2012.05.03-SunOS5.9-all-CSW.pkg.gz