Ubuntu 917-1: Puppet vulnerabilities

    Date24 Mar 2010
    CategoryUbuntu
    94
    Posted ByLinuxSecurity Advisories
    It was discovered that Puppet did not drop supplementary groups when being run as a different user. A local user may be able to use this flaw to bypass security restrictions and gain access to restricted files. (CVE-2009-3564) [More...]
    ===========================================================
    Ubuntu Security Notice USN-917-1             March 24, 2010
    puppet vulnerabilities
    CVE-2009-3564, CVE-2010-0156
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 9.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 9.10:
      puppet                          0.24.8-2ubuntu4.1
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    It was discovered that Puppet did not drop supplementary groups when being
    run as a different user. A local user may be able to use this flaw to
    bypass security restrictions and gain access to restricted files.
    (CVE-2009-3564)
    
    It was discovered that Puppet did not correctly handle temporary files. A
    local user can exploit this flaw to bypass security restrictions and
    overwrite arbitrary files. (CVE-2010-0156)
    
    
    Updated packages for Ubuntu 9.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/p/puppet/puppet_0.24.8-2ubuntu4.1.diff.gz
          Size/MD5:    16108 228231bb7fafde0cd8555618017939ce
        http://security.ubuntu.com/ubuntu/pool/main/p/puppet/puppet_0.24.8-2ubuntu4.1.dsc
          Size/MD5:     1517 22118d6cf21742ca62796a0957bee5f8
        http://security.ubuntu.com/ubuntu/pool/main/p/puppet/puppet_0.24.8.orig.tar.gz
          Size/MD5:  1093533 db02f46288794225d54b36f89e2725a7
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/p/puppet/puppet_0.24.8-2ubuntu4.1_all.deb
          Size/MD5:   518402 b050c03fffa3df3dc31faa12b17f6aa2
        http://security.ubuntu.com/ubuntu/pool/main/p/puppet/puppetmaster_0.24.8-2ubuntu4.1_all.deb
          Size/MD5:    47806 5fb4e692c93a7388d34f6a284f4a5e92
        http://security.ubuntu.com/ubuntu/pool/universe/p/puppet/puppet-testsuite_0.24.8-2ubuntu4.1_all.deb
          Size/MD5:   418926 5785eb3a1e0d6373f0d891f72afca170
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.