Mehrere Probleme in Puppet
ID: | USN-1506-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 10.04 LTS, Ubuntu 11.04, Ubuntu 11.10, Ubuntu 12.04 LTS |
Datum: | Do, 12. Juli 2012, 22:53 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867 |
Applikationen: | Puppet |
Originalnachricht |
|
--===============4883190569137831567== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-urxzjEvRXZ2uAl2g9AoF" --=-urxzjEvRXZ2uAl2g9AoF Content-Type: text/plain; charset="UTF-8 Content-Transfer-Encoding: quoted-printable ========================================================================== Ubuntu Security Notice USN-1506-1 July 12, 2012 puppet vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Puppet. Software Description: - puppet: Centralized configuration management Details: It was discovered that Puppet incorrectly handled certain HTTP GET requests. An attacker could use this flaw with a valid client certificate to retrieve arbitrary files from the Puppet master. (CVE-2012-3864) It was discovered that Puppet incorrectly handled Delete requests. If a Puppet master were reconfigured to allow the "Delete" method, an attacker on an authenticated host could use this flaw to delete arbitrary files from the Puppet server, leading to a denial of service. (CVE-2012-3865) It was discovered that Puppet incorrectly set file permissions on the last_run_report.yaml file. An attacker could use this flaw to access sensitive information. This issue only affected Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3866) It was discovered that Puppet incorrectly handled agent certificate names. An attacker could use this flaw to create a specially crafted certificate and trick an administrator into signing a certificate that can then be used to man-in-the-middle agent nodes. (CVE-2012-3867) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: puppet-common 2.7.11-1ubuntu2.1 Ubuntu 11.10: puppet-common 2.7.1-1ubuntu3.7 Ubuntu 11.04: puppet-common 2.6.4-2ubuntu2.10 Ubuntu 10.04 LTS: puppet-common 0.25.4-2ubuntu6.8 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1506-1 CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867 Package Information: https://launchpad.net/ubuntu/+source/puppet/2.7.11-1ubuntu2.1 https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.7 https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.10 https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.8 --ÞrxzjEvRXZ2uAl2g9AoF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAABCgAGBQJP/wi1AAoJEGVp2FWnRL6TruQP/1A3Os+7C+rVosLPrPBiIW94 K3cuNWKZfOc2vlnvI9dnbhryLfWECOSbAYi7wmsP2iT9vEZhnuSwu92hRkdr3GR9 jcAica9yIRpT0I0Hmfm6Ie89UpFLbgaz+U8RAGYX9mixpg1oM71K/9Hm0cedD+SO zF0DfR+3tCANd6ofTttxK6rE0R1OWWrG2B651jTuJ5WmVK67E7vlJUHCTTe0ssfx rNpqX55BNodWHP4TayCK2jJ0kzybtCK4fwrdUJS+3wUAJTClDWsyNNQGoJT9nZjs 79eCsyjsfU5Y2sZ9gjpgiphWePKm17MYU7HypxXS69olsBfMn1WE5jAkUJ5MaRUb 6GhGTJ8+NW0MyxbOt8FWjr+aT+q8Fys49DYrh2Ihw9JchEoOBl2pgJRaaEzkCpbh mOXsrL63JabiVDKlqfkcsPryQ5oJFmZba0seanDv2Pr0QeVHQutX18dg1tEWWN81 nXcb6Suq2FIJDc/Z8Ynt4/sGJ5tsmk+3rQkhnGjOt5RlL7BWw3507IzkciGJNySh AEyK/4hc9aEoyP7Kn3yrwJXx5ieSngwtGR2Or2V4FR/NO13Y0LprRF2x7d9n/U6M ZPFL9DzVsfAssvP1Akj6RgbaOG8pB2fw3jUdolF9VqTaramNStmc2ywgabwaUk/8 wl6V4+MujKb6QGB11ReC =wjL4 -----END PGP SIGNATURE----- --=-urxzjEvRXZ2uAl2g9AoF-- --===============4883190569137831567== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============4883190569137831567==-- |