From puppet labs: CVE-2012-3865 (Arbitrary file delete/D.O.S on Puppet Master) A bug in Puppet 2.6.16 and 2.7.17 allows authenticated clients to delete arbitrary files on the puppet master. Given a Puppet master with the “Delete” method allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default; auth.conf must first be edited to enable deletion. Resolved in Puppet 2.6.17, 2.7.18
Created puppet tracking bugs for this issue Affects: fedora-17 [bug 839168]
Created puppet tracking bugs for this issue Affects: fedora-16 [bug 839171]
External Reference: http://puppetlabs.com/security/cve/cve-2012-3865/
Upstream commits: 2.6: https://github.com/puppetlabs/puppet/commit/554eefc 2.7: https://github.com/puppetlabs/puppet/commit/d804782
puppet-2.6.17-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.7.18-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.17-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.17-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue.
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html