Bug 839130 (CVE-2012-3864)
| Summary: | CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | k.georgiou, ktdreyer, tmz, vanmeeuwen+fedora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | puppet 2.6.17, puppet 2.7.18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-11 09:30:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 839168, 839171, 839176 | ||
| Bug Blocks: | 767033, 836071, 839173 | ||
|
Description
Kurt Seifried
2012-07-11 04:56:47 UTC
Created puppet tracking bugs for this issue Affects: fedora-17 [bug 839168] Created puppet tracking bugs for this issue Affects: fedora-16 [bug 839171] External Reference: http://puppetlabs.com/security/cve/cve-2012-3864/ Related upstream commits: 2.6: https://github.com/puppetlabs/puppet/commit/8eb0cd8 https://github.com/puppetlabs/puppet/commit/828c16a https://github.com/puppetlabs/puppet/commit/e7ef153 https://github.com/puppetlabs/puppet/commit/29ae87d https://github.com/puppetlabs/puppet/commit/c872619 https://github.com/puppetlabs/puppet/commit/c3c7462 2.7: https://github.com/puppetlabs/puppet/commit/38c5a4e https://github.com/puppetlabs/puppet/commit/9e920a8 https://github.com/puppetlabs/puppet/commit/2d01c2b https://github.com/puppetlabs/puppet/commit/40ee670 https://github.com/puppetlabs/puppet/commit/d881b4b https://github.com/puppetlabs/puppet/commit/20ab0e9 https://github.com/puppetlabs/puppet/commit/10f6cb8 Are tracking bugs for epel-5 and epel-6 required as well? They include 2.6.x so they are impacted by the same CVE's as fedora-16.
I have builds in progress for f16 and el{5,6}.
puppet-2.6.17-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. puppet-2.7.18-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. puppet-2.6.17-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. puppet-2.6.17-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue. This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html |