Bug 919775 - (CVE-2013-1655) CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability
CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130312,repor...
: Security
Depends On: 920845
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-09 20:56 EST by Kurt Seifried
Modified: 2014-05-30 14:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-30 14:47:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-03-09 20:56:24 EST
Moses Mendoza (moses@puppetlabs.com) reports:

CVE-2013-1655 - Unauthenticated remote code execution risk
* Affected versions: 2.7.0 and greater
* Affects puppet masters running ruby 1.9.3 and up
* Patched versions: 2.7.x, 3.1.x

A bug in Puppet allows unauthenticated clients to send requests to the
puppet master, and have the master load code in an unsafe manner. This
has the potential for causing problems such as described in the Rails
CVE-2013-0156, though we have not identified an exploit at this time.
It only affects users whose puppet masters are running ruby 1.9.3 and
above.


External References:
https://puppetlabs.com/security/cve/cve-2013-1655/
Comment 1 Vincent Danen 2013-03-12 17:41:30 EDT
Created puppet tracking bugs for this issue

Affects: fedora-all [bug 920845]
Comment 2 Kurt Seifried 2013-03-15 00:59:14 EDT
For the puppet roll-up patches please see Bz 919783 for the patch files.
Comment 3 Fedora Update System 2013-08-01 23:24:22 EDT
puppet-3.1.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.