drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Puppet
Name: |
Mehrere Probleme in Puppet |
|
ID: |
USN-1506-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 10.04 LTS, Ubuntu 11.04, Ubuntu 11.10, Ubuntu 12.04 LTS |
|
Datum: |
Do, 12. Juli 2012, 22:53 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867 |
|
Applikationen: |
Puppet |
|
Originalnachricht |
--===============4883190569137831567== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-urxzjEvRXZ2uAl2g9AoF"
--=-urxzjEvRXZ2uAl2g9AoF Content-Type: text/plain; charset="UTF-8 Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-1506-1 July 12, 2012
puppet vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Puppet.
Software Description: - puppet: Centralized configuration management
Details:
It was discovered that Puppet incorrectly handled certain HTTP GET requests. An attacker could use this flaw with a valid client certificate to retrieve arbitrary files from the Puppet master. (CVE-2012-3864)
It was discovered that Puppet incorrectly handled Delete requests. If a Puppet master were reconfigured to allow the "Delete" method, an attacker on an authenticated host could use this flaw to delete arbitrary files from the Puppet server, leading to a denial of service. (CVE-2012-3865)
It was discovered that Puppet incorrectly set file permissions on the last_run_report.yaml file. An attacker could use this flaw to access sensitive information. This issue only affected Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3866)
It was discovered that Puppet incorrectly handled agent certificate names. An attacker could use this flaw to create a specially crafted certificate and trick an administrator into signing a certificate that can then be used to man-in-the-middle agent nodes. (CVE-2012-3867)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 LTS: puppet-common 2.7.11-1ubuntu2.1
Ubuntu 11.10: puppet-common 2.7.1-1ubuntu3.7
Ubuntu 11.04: puppet-common 2.6.4-2ubuntu2.10
Ubuntu 10.04 LTS: puppet-common 0.25.4-2ubuntu6.8
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-1506-1 CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867
Package Information: https://launchpad.net/ubuntu/+source/puppet/2.7.11-1ubuntu2.1 https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.7 https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.10 https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.8
--ÞrxzjEvRXZ2uAl2g9AoF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJP/wi1AAoJEGVp2FWnRL6TruQP/1A3Os+7C+rVosLPrPBiIW94 K3cuNWKZfOc2vlnvI9dnbhryLfWECOSbAYi7wmsP2iT9vEZhnuSwu92hRkdr3GR9 jcAica9yIRpT0I0Hmfm6Ie89UpFLbgaz+U8RAGYX9mixpg1oM71K/9Hm0cedD+SO zF0DfR+3tCANd6ofTttxK6rE0R1OWWrG2B651jTuJ5WmVK67E7vlJUHCTTe0ssfx rNpqX55BNodWHP4TayCK2jJ0kzybtCK4fwrdUJS+3wUAJTClDWsyNNQGoJT9nZjs 79eCsyjsfU5Y2sZ9gjpgiphWePKm17MYU7HypxXS69olsBfMn1WE5jAkUJ5MaRUb 6GhGTJ8+NW0MyxbOt8FWjr+aT+q8Fys49DYrh2Ihw9JchEoOBl2pgJRaaEzkCpbh mOXsrL63JabiVDKlqfkcsPryQ5oJFmZba0seanDv2Pr0QeVHQutX18dg1tEWWN81 nXcb6Suq2FIJDc/Z8Ynt4/sGJ5tsmk+3rQkhnGjOt5RlL7BWw3507IzkciGJNySh AEyK/4hc9aEoyP7Kn3yrwJXx5ieSngwtGR2Or2V4FR/NO13Y0LprRF2x7d9n/U6M ZPFL9DzVsfAssvP1Akj6RgbaOG8pB2fw3jUdolF9VqTaramNStmc2ywgabwaUk/8 wl6V4+MujKb6QGB11ReC =wjL4 -----END PGP SIGNATURE-----
--=-urxzjEvRXZ2uAl2g9AoF--
--===============4883190569137831567== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============4883190569137831567==--
|
|
|
|