Bug 1101346 (CVE-2014-3248)
| Summary: | CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||||||||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||||||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||||||||||
| Priority: | medium | ||||||||||||||||||||||
| Version: | unspecified | CC: | abaron, admiller, aortega, apevec, ayoung, bkearney, carnil, cbillett, ccoleman, chrisw, cpelland, dallan, dcleal, dmcphers, fedora, gkotton, jialiu, jokerman, jose.p.oliveira.oss, jrusnack, katello-bugs, k.georgiou, kseifried, ktdreyer, lhh, lmeyer, lzap, markmc, mastahnke, mmagr, mmccomas, mmccune, mmcgrath, moses, rbryant, rhos-maint, rrati, sclewis, security-response-team, s, steve.traylen, tjay, tmz, tomckay, vanmeeuwen+fedora, vdanen, yeylon | ||||||||||||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||
| Hardware: | All | ||||||||||||||||||||||
| OS: | Linux | ||||||||||||||||||||||
| Whiteboard: | |||||||||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||||||
| Last Closed: | 2014-09-17 19:42:26 UTC | Type: | --- | ||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||
| Bug Depends On: | 1107890, 1107891, 1107892, 1107893, 1107894, 1108503, 1114902 | ||||||||||||||||||||||
| Bug Blocks: | 1101348 | ||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||
|
Description
Murray McAllister
2014-05-27 03:04:03 UTC
Created attachment 899370 [details]
facter patch from upstream
Created attachment 899371 [details]
hiera patch from upstream
Created attachment 899372 [details]
mcollective patch from upstream
Created attachment 899373 [details]
puppet patch from upstream
Created attachment 902394 [details]
revised facter-2.0.1 patch
Created attachment 902395 [details]
revised hiera-1.3.3 patch
Created attachment 902396 [details]
revised mcollective-2.5.1 patch
Created attachment 902397 [details]
revised puppet-2.7.25 patch
Created attachment 902398 [details]
revised puppet-3.6.1 patch
This issue has been fixed in Puppet Enterprise 2.8.7, Puppet 3.6.2, Puppet 2.7.26, Facter 2.0.2, Hiera 1.3.4, and Mcollective 2.5.2. External References: http://puppetlabs.com/security/cve/cve-2014-3248 Created hiera tracking bugs for this issue: Affects: epel-6 [bug 1107893] Created puppet tracking bugs for this issue: Affects: epel-all [bug 1107890] Created facter tracking bugs for this issue: Affects: fedora-19 [bug 1107891] Affects: epel-all [bug 1107892] Created mcollective tracking bugs for this issue: Affects: epel-all [bug 1107894] Created facter tracking bugs for this issue: Affects: fedora-20 [bug 1114902] (In reply to Murray McAllister from comment #20) > Created facter tracking bugs for this issue: > > Affects: fedora-20 [bug 1114902] Matthew Thode indicated version 1.7 is actually vulnerable: https://bugs.gentoo.org/show_bug.cgi?id=514476#c1 mcollective-2.2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. hiera-1.0.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Please note that we ship Ruby 1.9.3 in virtually all products (the exception being RHEL 4 and 5 base, however many products that run on these, e.g. SAM 1.4 ship their own up to date Ruby 1.9.3). Please note that OpenStack 4 and 5 only run on RHEL 6 and 7, which have Ruby 1.9.3 so notaffected either. Statement: This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later. For the record - in F19 branch I struggled with releasing a backport fix because the patch for this CVE/NOTABUG was never removed from the branch. I am reverting it (commenting the patch line out the SPEC). facter-1.6.18-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. facter-1.7.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |