Mageia alert MGASA-2013-0259 (puppet) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2013-0259: Updated puppet and puppet3 package fix security vulnerabilities 
Date:
    	       Mon, 26 Aug 2013 21:44:52 +0200
Message-ID:
    	       <20130826194453.0F25543504@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2013-0259 - Updated puppet and puppet3 package fix security vulnerabilities

Publication date: 26 Aug 2013
URL: http://advisories.mageia.org/MGASA-2013-0259.html
Type: security
Affected Mageia releases: 2, 3
CVE: CVE-2013-4761,
     CVE-2013-4956

Description:
It was discovered that Puppet incorrectly handled the resource_type
service. A local attacker on the master could use this issue to execute
arbitrary Ruby files (CVE-2013-4761).

It was discovered that Puppet incorrectly handled permissions on the
modules it installed. Modules could be installed with the permissions
that existed when they were built, possibly exposing them to a local
attacker (CVE-2013-4956).

References:
- https://bugs.mageia.org/show_bug.cgi?id=11019
- http://puppetlabs.com/security/cve/cve-2013-4761/
- http://puppetlabs.com/security/cve/cve-2013-4956/
- http://www.ubuntu.com/usn/usn-1928-1/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956

SRPMS:
- 3/core/puppet-2.7.23-1.mga3
- 3/core/puppet3-3.2.4-1.mga3
- 2/core/puppet-2.7.23-1.mga2
(Log in to post comments)