LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

puppet: IP address impersonation

Package(s):puppet CVE #(s):CVE-2012-3408
Created:July 30, 2012 Updated:August 1, 2012
Description: From the Red Hat bugzilla:

From puppet labs: Puppet agents with certnames of IP addresses can be impersonated

This affects Puppet 2.6.16 and 2.7.17

If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated.

Resolved in Puppet 2.6.17, 2.7.18

Alerts:
Fedora FEDORA-2012-10891 2012-07-28
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds