SUSE: 2017:2113-1 Important: Puppet Code Execution Threat
suse
August 9, 2017
An update that fixes one vulnerability is now available
Summary
This update for puppet fixes the following issues: Security issue fixed: - CVE-2017-2295: Possible code execution vulnerability where an attacker could force YAML deserialization in an unsafe manner. In default, this update breaks a backwards compatibility with Puppet agents older than 3.2.2 as the SLE12 master doesn't support other fact formats than pson in default anymore. In order to allow users to continue using their SLE12 master/SLE11 agents setup and fix CVE-2017-2295 for the others, a new puppet master boolean option "dangerous_fact_formats" was added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact format is accepted. (bsc#1040151) Patch Instructions: To install this SUSE Security Update use YaST online_update.
Topics Covered
References
#1040151
Cross- CVE-2017-2295
Affected Products:
SUSE Linux Enterprise Module for Advanced Systems Management 12
SUSE Linux Enterprise Desktop 12-SP3
SUSE Linux Enterprise Desktop 12-SP2
https://www.suse.com/security/cve/CVE-2017-2295.html
https://bugzilla.suse.com/1040151
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Announcement ID: SUSE-SU-2017:2113-1
Rating: important
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!