Fedora alert FEDORA-2013-4187 (puppet)
| From: | updates@fedoraproject.org | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 17 Update: puppet-2.7.21-2.fc17 | |
| Date: | Sat, 30 Mar 2013 21:31:30 +0000 | |
| Message-ID: | <20130330213130.2F16D20A4B@bastion01.phx2.fedoraproject.org> | |
| Archive‑link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-4187 2013-03-21 23:11:21 -------------------------------------------------------------------------------- Name : puppet Product : Fedora 17 Version : 2.7.21 Release : 2.fc17 URL : http://puppetlabs.com Summary : A network tool for managing many disparate systems Description : Puppet lets you centrally manage every important aspect of your system using a cross-platform specification language that manages all the separate elements normally aggregated in different files, like users, cron jobs, and hosts, along with obviously discrete elements like packages, services, and files. -------------------------------------------------------------------------------- Update Information: Updates for the security announcements from Puppet Labs on 12-Mar-2013. https://groups.google.com/group/puppet-announce/t/9200f26... This update also provides backported fixes for a number of issues with ruby-1.9. -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 18 2013 Todd Zullinger <tmz@pobox.com> - 2.7.21-2 - Apply upstream fix for fqdn_rand function with ruby-1.9 (#880959) - Apply upstream fix to make WEBrick more tolerant of old clients (#831303) - Apply upstream fix to avoid deprecated iconv (#809911) - Apply upstream fix to avoid class level variables (#809911) * Wed Mar 13 2013 Michael Stahnke <stahnma@puppetlabs.com> - 2.7.21-1 - Fixes for CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 - CVE-2013-1655 CVE-2013-2274 CVE-2013-2275 - Remove Ruby 1.9.3 load file patch. It's now upstream - Remove install permissions patch. It's now upstream * Wed Jul 11 2012 Todd Zullinger <tmz@pobox.com> - 2.7.18-1 - Update to 2.7.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867 - Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085) - Preserve timestamps when installing files -------------------------------------------------------------------------------- References: [ 1 ] Bug #919770 - CVE-2013-1654 Puppet: SSL protocol downgrade https://bugzilla.redhat.com/show_bug.cgi?id=919770 [ 2 ] Bug #919774 - CVE-2013-1653 Puppet: kick connection HTTP PUT request arbitrary code execution https://bugzilla.redhat.com/show_bug.cgi?id=919774 [ 3 ] Bug #919775 - CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=919775 [ 4 ] Bug #919783 - CVE-2013-1640 Puppet: catalog request code execution https://bugzilla.redhat.com/show_bug.cgi?id=919783 [ 5 ] Bug #919784 - CVE-2013-1652 Puppet: HTTP GET request catalog retrieval https://bugzilla.redhat.com/show_bug.cgi?id=919784 [ 6 ] Bug #919785 - CVE-2013-2275 Puppet: default auth.conf allows authenticated node to submit a report for any other node https://bugzilla.redhat.com/show_bug.cgi?id=919785 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update puppet' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...