Bug 742174 (CVE-2011-3848)
Summary: | CVE-2011-3848 puppet: Directory traversal attack by processing certain x509 certificate signing requests | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | bkearney, katello-internal, k.georgiou, ktdreyer, morazi, mrg-program-list, tmz, vanmeeuwen+fedora, vdanen | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | puppet 2.6.10, puppet 2.7.4 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2012-07-04 06:44:17 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 742654, 742655 | ||||||||||
Bug Blocks: | 742180, 748458 | ||||||||||
Attachments: |
|
Description
Jan Lieskovsky
2011-09-29 10:10:33 UTC
Created attachment 525509 [details]
Puppet upstream patch against v2.7.x branch
Created attachment 525510 [details]
Puppet upstream patch against v2.6.x branch
Created attachment 525511 [details]
Puppet upstream patch against v0.25.x branch
This issue has been scheduled to be addressed in the following releases: 1) puppet-2.6.6-2.fc15 for Fedora-15, 2) puppet-2.6.6-2.fc14 for Fedora-14, 3) puppet-2.6.6-2.el6 for EPEL-6, 4) puppet-2.6.6-2.el5 for EPEL-5. Once the above updates have passed the required testing, they will be pushed to particular -stable repositories. Created puppet tracking bugs for this issue Affects: fedora-all [bug 742654] Affects: epel-all [bug 742655] puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. Resolved in Puppet 2.7.4 and 2.6.10, CloudForms ships Puppet 2.6.14. Fixed upstream in 2.7.4 and 2.6.10. External Reference: http://puppetlabs.com/security/cve/cve-2011-3848/ |