Bug 919775 (CVE-2013-1655)

Summary: CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bressers, rh, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20130312,reported=20130309,source=upstream,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,fedora-all/puppet=affected,cwe=CWE-502
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 14:47:22 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 920845    
Bug Blocks:    

Description Kurt Seifried 2013-03-09 20:56:24 EST
Moses Mendoza (moses@puppetlabs.com) reports:

CVE-2013-1655 - Unauthenticated remote code execution risk
* Affected versions: 2.7.0 and greater
* Affects puppet masters running ruby 1.9.3 and up
* Patched versions: 2.7.x, 3.1.x

A bug in Puppet allows unauthenticated clients to send requests to the
puppet master, and have the master load code in an unsafe manner. This
has the potential for causing problems such as described in the Rails
CVE-2013-0156, though we have not identified an exploit at this time.
It only affects users whose puppet masters are running ruby 1.9.3 and

External References:
Comment 1 Vincent Danen 2013-03-12 17:41:30 EDT
Created puppet tracking bugs for this issue

Affects: fedora-all [bug 920845]
Comment 2 Kurt Seifried 2013-03-15 00:59:14 EDT
For the puppet roll-up patches please see Bz 919783 for the patch files.
Comment 3 Fedora Update System 2013-08-01 23:24:22 EDT
puppet-3.1.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.