A security flaw was found in the way Puppet, a network tool for managing many disparate systems, recognized additional DNS names to be added to the certificate of the Puppet master, when that certicate was used for subsequent communication with Puppet clients. A remote, privileged user, with ability to modify the SSL certificate of the Puppet agent could use this flaw to impersonate main Puppet master server against Puppet clients (MITM).
This issue affects the versions of the puppet package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the puppet package, as shipped with Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 releases.
Created attachment 529872 [details] Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v2.7.5 branch
Created attachment 529874 [details] Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v0.24 branch Removes the certdnsnames option all together.
This issue affects the versions of the puppet package, as shipped with Red Hat Enterprise MRG 1.3.
This issue is now public. External Reference: http://www.puppetlabs.com/security/cve/cve-2011-3872/
Closing as puppet 2.6.12 has been pushed to stable as an update for EPEL 4,5,6 and Fedora 14,15,16 and rawhide.
This issue also affects CloudForms
Created puppet tracking bugs for this issue Affects: fedora-all [bug 801972]
I'm a bit confused (nothing new there). This issue was fixed in puppet 2.6.12 which has been in all fedora releases for a while now. As a puppet maintainer for fedora/epel, is there something that further that I need to do?
Resolved in Puppet 2.7.6 and 2.6.12, CloudForms ships Puppet 2.6.14.