There have been two vulnerabilities discovered in Puppet (CVE-2012-1053 and CVE-2012-1054). Puppet Labs is currently working with distribution maintainers, as well as key customers to ensure we are able to patch this vulnerability before it is exploited. The CVEs and issues have not been made public yet. We appreciate your discretion at this time. We have included patches for 2.6.x and 2.7.x. If you need help with patches for other series or versions of Puppet, please let us know. # Summary # (#12460) Klogin type will write to untrusted locations (write through symlinks) #12460 - Klogin File Handling Issue (Write through symlink) High risk for users of this type. Users can symlink to arbitrary files, causing them to be overwritten, such as other klogin files (including root).
This is embargoed, no release date has been set yet, I have contacted PuppetLabs and requested more information.
Created attachment 562349 [details] Patch for CVE-2012-1053 and CVE-2012-1054
Per conversation with Michael Stahnke at Puppet Labs, the release that was planned for tonight has been pushed to tomorrow. I noticed a minor regression in the 2.6.14 packages we'll be using, so they're going to fix that up before release.
External Reference: http://puppetlabs.com/security/cve/cve-2012-1054/
Created puppet tracking bugs for this issue Affects: fedora-all [bug 801972]
Created puppet tracking bugs for this issue Affects: epel-all [bug 801974]
puppet-2.6.14-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.14-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.14-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.