Debian: DSA-2643-1: puppet security update

    Date12 Mar 2013
    CategoryDebian
    37
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system. CVE-2013-1640
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2643-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Yves-Alexis Perez
    March 12, 2013                         http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : puppet
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654
                     CVE-2013-1655 CVE-2013-2274 CVE-2013-2275
    Debian Bug     :
    
    Multiple vulnerabilities were discovered in Puppet, a centralized
    configuration management system.
    
    CVE-2013-1640
    
        An authenticated malicious client may request its catalog from the puppet
        master, and cause the puppet master to execute arbitrary code. The puppet
        master must be made to invoke the `template` or `inline_template` functions
        during catalog compilation.
    
    CVE-2013-1652
    
        An authenticated malicious client may retrieve catalogs from the puppet
        master that it is not authorized to access. Given a valid certificate and
        private key, it is possible to construct an HTTP GET request that will
        return a catalog for an arbitrary client.
    
    CVE-2013-1653
    
        An authenticated malicious client may execute arbitrary code on Puppet
        agents that accept kick connections. Puppet agents are not vulnerable in
        their default configuration. However, if the Puppet agent is configured to
        listen for incoming connections, e.g. listen = true, and the agent's
        auth.conf allows access to the `run` REST endpoint, then an authenticated
        client can construct an HTTP PUT request to execute arbitrary code on the
        agent. This issue is made worse by the fact that puppet agents typically
        run as root.
    
    CVE-2013-1654
    
        A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is
        known to contain design flaw weaknesses This affects SSL connections
        between puppet agents and master, as well as connections that puppet agents
        make to third party servers that accept SSLv2 connections. Note that SSLv2
        is disabled since OpenSSL 1.0.
    
    CVE-2013-1655
    
        An unauthenticated malicious client may send requests to the puppet master,
        and have the master load code in an unsafe manner. It only affects users
        whose puppet masters are running ruby 1.9.3 and above.
    
    CVE-2013-2274
    
        An authenticated malicious client may execute arbitrary code on the
        puppet master in its default configuration. Given a valid certificate and
        private key, a client can construct an HTTP PUT request that is authorized
        to save the client's own report, but the request will actually cause the
        puppet master to execute arbitrary code.
    
    CVE-2013-2275
    
        The default auth.conf allows an authenticated node to submit a report for
        any other node, which is a problem for compliance. It has been made more
        restrictive by default so that a node is only allowed to save its own
        report.
    
    For the stable distribution (squeeze), these problems have been fixed in
    version 2.6.2-5+squeeze7.
    
    For the testing distribution (wheezy), these problems have been fixed in
    version 2.7.18-3.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 2.7.18-3.
    
    We recommend that you upgrade your puppet packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.