Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in Puppet
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in Puppet
ID: USN-1372-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Do, 23. Februar 2012, 16:52
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1054
Applikationen: Puppet

Originalnachricht


--===============7014701899237479989==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-4j0ljFBj3RorLx90rEH1"


--=-4j0ljFBj3RorLx90rEH1
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1372-1
February 23, 2012

puppet vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Puppet could be made to overwrite files and run programs with administrator
privileges.

Software Description:
- puppet: Centralized configuration management

Details:

It was discovered that Puppet did not drop privileges when executing
commands as different users. If an attacker had control of the execution
manifests or the executed command, this could be used to execute code with
elevated group permissions (typically root). (CVE-2012-1053)

It was discovered that Puppet unsafely opened files when the k5login type
is used to manage files. A local attacker could exploit this to overwrite
arbitrary files and escalate privileges. (CVE-2012-1054)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
puppet-common 2.7.1-1ubuntu3.5

Ubuntu 11.04:
puppet-common 2.6.4-2ubuntu2.8

Ubuntu 10.10:
puppet-common 2.6.1-0ubuntu2.6

Ubuntu 10.04 LTS:
puppet-common 0.25.4-2ubuntu6.6

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1372-1
CVE-2012-1053, CVE-2012-1054

Package Information:
https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.5
https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.8
https://launchpad.net/ubuntu/+source/puppet/2.6.1-0ubuntu2.6
https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.6



--Ôj0ljFBj3RorLx90rEH1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJPRkfwAAoJEFHb3FjMVZVz0z4P/3QBQI0JzhydXGOJWbCTX7hj
38TkTerxGOwBFdr4rmgA+3BoQ9vSqRi8f7XcVcHIal82B98wVbik+hD7jzOFievu
+4nTLDpfDu8ESTwOSqQakzN270vGHwjWGaJCC0HjSxFS4tDjHpjEPrbvh+Py1Sm8
35glcXAOBs6XOM15nDxr8uJIWOJGAX3iD0x4818Mi7HmqByLsubTHM9fJV9FEv0m
nEZG7zdHue5c8/jcs/keSEGRnadhRO6nja/7qwDhNRKYm9n3IoowzsWKe9OHbV91
ZUAfhn/mBcRHruavc/6E5BWNsv52WqzoIsWhR81t4JegeKTxzrOwveeDmYDNKiP0
nyQFRNzhZwamxm00s9SJkr+jfzaZZBh4aIZ89euW6dZfvR6fTwbwi5Z8vo321bT0
868VCqjeUG0c0fKer/kFE+/tyuavYmp2iGvq8b5vxQTh6chWAIepIzcwBCI1qf7p
8hqwlcIujq9fuBUM9hlC+Mykyq05CzgJ19kuADL9dD1MzfFCLj5IibPBdfc2/nGZ
w4m+jfPPjOJZj2g6wAP+jHJ3VHifqcatt8tSp2zdOP470/FF4kfBblae8WzsAbBV
/3iSeno3EQohi+a8lkqhLQZQ3SaEtBl9RM4B8IvrEA/C1GDmx/VaIKXmUIdit17j
vq35x9cSs1Z2E16rUYXe
=Ktg8
-----END PGP SIGNATURE-----

--=-4j0ljFBj3RorLx90rEH1--



--===============7014701899237479989==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============7014701899237479989==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung