Red Hat Bugzilla – Bug 919775
CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability
Last modified: 2014-05-30 14:47:22 EDT
Moses Mendoza (firstname.lastname@example.org) reports:
CVE-2013-1655 - Unauthenticated remote code execution risk
* Affected versions: 2.7.0 and greater
* Affects puppet masters running ruby 1.9.3 and up
* Patched versions: 2.7.x, 3.1.x
A bug in Puppet allows unauthenticated clients to send requests to the
puppet master, and have the master load code in an unsafe manner. This
has the potential for causing problems such as described in the Rails
CVE-2013-0156, though we have not identified an exploit at this time.
It only affects users whose puppet masters are running ruby 1.9.3 and
Created puppet tracking bugs for this issue
Affects: fedora-all [bug 920845]
For the puppet roll-up patches please see Bz 919783 for the patch files.
puppet-3.1.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.