Moses Mendoza (moses) reports: CVE-2013-1640 - Remote code execution on master from authenticated clients * Affected versions: 0.24.7 and greater * Resolved in Puppet 2.6.18, 2.7.21, 3.1.1, Puppet Enterprise 1.2.7, 2.7.2 A bug in Puppet allows an authenticated client to request its catalog from the puppet master, and cause the puppet master to execute arbitrary code. The puppet master must invoke with the `template` or `inline_template` functions during catalog compilation for this to be exploited. External References: https://puppetlabs.com/security/cve/cve-2013-1640/
Created puppet tracking bugs for this issue Affects: epel-all [bug 920843]
Created puppet tracking bugs for this issue Affects: fedora-all [bug 920845]
Created attachment 710424 [details] puppet-3.1.0-CVE-Rollup.patch
Created attachment 710425 [details] puppet-2.7.20-CVE-Rollup.patch
Created attachment 710426 [details] puppet-2.7.18-CVE-Rollup.patch
Created attachment 710427 [details] puppet-2.7.11-CVE-Rollup.patch
Created attachment 710428 [details] puppet-2.6.17-CVE-Rollup.patch
Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0710 https://rhn.redhat.com/errata/RHSA-2013-0710.html
puppet-2.6.18-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.18-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Removed due to typo.
puppet-3.1.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.