drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Zertifikaten in Puppet
Name: |
Mangelnde Prüfung von Zertifikaten in Puppet |
|
ID: |
USN-1238-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10 |
|
Datum: |
Di, 25. Oktober 2011, 09:10 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3872
http://puppetlabs.com/security/cve/cve-2011-3872/ |
|
Applikationen: |
Puppet |
|
Originalnachricht |
--===============7872083896463403330== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-3oBzEmrebAJ4Fu1QmqPM"
--=-3oBzEmrebAJ4Fu1QmqPM Content-Type: text/plain; charset="UTF-8 Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-1238-1 October 24, 2011
puppet vulnerability ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS
Summary:
The Puppet master server could be impersonated in certain configurations.
Software Description: - puppet: Centralized configuration management
Details:
It was discovered that Puppet incorrectly handled the non-default "certdnsnames" option when generating certificates. If this setting was added to puppet.conf, the puppet masterâs DNS alt names were added to the X.509 Subject Alternative Name field of all certificates, not just the puppet masterâs certificate. An attacker that has an incorrect agent certificate in his possession can use it to impersonate the puppet master in a man-in-the-middle attack.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 11.10: puppet-common 2.7.1-1ubuntu3.2
Ubuntu 11.04: puppet-common 2.6.4-2ubuntu2.5
Ubuntu 10.10: puppet-common 2.6.1-0ubuntu2.4
Ubuntu 10.04 LTS: puppet-common 0.25.4-2ubuntu6.5
In general, a standard system update will make all the necessary changes.
If your puppet master's puppet.conf file has ever contained the "certdnsnames" setting, you must reissue your site certificates, or apply another mitigation technique. Please see the upstream advisory for more information:
http://puppetlabs.com/security/cve/cve-2011-3872/
References: http://www.ubuntu.com/usn/usn-1238-1 CVE-2011-3872
Package Information: https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.2 https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.5 https://launchpad.net/ubuntu/+source/puppet/2.6.1-0ubuntu2.4 https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.5
--ÓoBzEmrebAJ4Fu1QmqPM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOpebtAAoJEGVp2FWnRL6TI3kP+gJtQkWZtnMJhF9ScPaHCrba 6iBzQ08Ui2ZSsNItL2J0PbStoFDxp025xNnHfEbcykL7LySe4DtMn5ih5yp4QzmM ALUDsptV+sPCNf/Z6jQomTS4pVR84EBcQacLGK7OjzjmSViuzclMQWzLqbYDYkjT Rs1xvOduOMyKNOPQHRLaCV0QT+ysOHlFJUKhgoRM2ahHudno72qhJX2yLkV+p4Oj HNh/Qa1YFN4U3UBwFYEm0JeDBU8KuTkbO1U8YsOZiK+3i2G2ZXSWygMJ4hen+gPC +3m6Fr/JpjtVq93cNVsAg1G+DRbRyPG28GHHGef8vB4h55/giH0ZZd8RpxE1jvzy dVcsMbj7VIqinmEdm87/2/1jBHLp2Atkc0s9cFt8cdx/kmVWFlpC2cYL40EfAd1A oPpwKkSLowlUoJdL9qdfqbFjdhoyMFyVx9/1irQavaJ+Z0IjZSv/EtmpxTw9R5Xt WGFuIqEcfZXDmZZRzShfJYcZvFuo3bZd4mKbpbPNK2J6aPcZrHrDVQFMwMOA5k2H 9NRQJDhZ+ZzLJRoOnSjRqTqXmNvQMz6+jWgl1Y3zokmyFZFb4Gfr/jAT4ZvmZyCV DfiLB+unmbSNktQ8fkHHHiEMnCA64YxPnwgXGE/GysNIsvvHR7foa6d5LrhWy6EU Y9MYjBmlmDw6PxAbPC8+ =NFZc -----END PGP SIGNATURE-----
--=-3oBzEmrebAJ4Fu1QmqPM--
--===============7872083896463403330== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============7872083896463403330==--
|
|
|
|