Bug 742644 (CVE-2011-3870)
Summary: | CVE-2011-3870 puppet: SSH authorized_keys symlink attack | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | unspecified | CC: | bkearney, katello-internal, k.georgiou, ktdreyer, morazi, security-response-team, tmz, vanmeeuwen+fedora | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | puppet 2.6.11, puppet 2.7.5 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2012-07-04 06:46:22 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 742654, 742655 | ||||||||||
Bug Blocks: | 742180, 748458 | ||||||||||
Attachments: |
|
Description
Vincent Danen
2011-09-30 21:27:57 UTC
Created attachment 525844 [details]
patch from upstream for 2.6.x and 2.7.x
Created attachment 525845 [details]
patch from upstream for 0.25.x
Created attachment 525846 [details]
patch from Jamie Strandboge needed prior to applying upstream's 0.25.x patch
Jamie noted that this patch needs to be applied prior to what upstream supplied, which are from commits:
ce233aa2a511bf6818f28c226144ec5b05a468ee
8d9575775737c08c6cbfdf7f9a22f2ea4ab21b20
0aae5a71a8e3b38cd8d7041f5c40091887c924a8
Created puppet tracking bugs for this issue Affects: fedora-all [bug 742654] Affects: epel-all [bug 742655] puppet-0.25.5-2.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. Resolved in Puppet 2.7.5 and 2.6.11, CloudForms ships Puppet 2.6.14. Fixed upstream in 2.7.5 and 2.6.11. External Reference: http://puppetlabs.com/security/cve/cve-2011-3870/ |