Bug 12184

Summary: puppet and puppet3 new security issue CVE-2013-4969
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: guillomovitch, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/578598/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: puppet3-3.2.4-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-01-03 00:03:14 CET 
Debian has issued an advisory on December 31:
http://www.debian.org/security/2013/dsa-2831

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-03 00:03:35 CET

CC: (none) => boklm, guillomovitch
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-03 12:40:16 CET 
puppet-3.4.1-1.mga4 uploaded to fix this in Cauldron (by Guillaume).

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 2 Guillaume Rousse 2014-01-03 12:52:18 CET 
And I just submitted puppet-2.7.23-1.1.mga3 and puppet3-3.2.4-1.1.mga3 in updates_testing for mageia 3.

Here is a suggested advisory, taken from the debian announcement:

An unsafe use of temporary files was discovered in Puppet, a tool for
centralized configuration management. An attacker can exploit this 
vulnerability and overwrite an arbitrary file in the system.

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2014-01-03 12:59:27 CET 
Thanks Guillaume!

Advisory:
========================

Updated puppet and puppet3 packages fix security vulnerability:

An unsafe use of temporary files was discovered in Puppet, a tool for
centralized configuration management. An attacker can exploit this 
vulnerability and overwrite an arbitrary file in the system (CVE-2013-4969).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969
http://www.debian.org/security/2013/dsa-2831
========================

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.1.mga3
puppet-server-2.7.23-1.1.mga3
vim-puppet-2.7.23-1.1.mga3
emacs-puppet-2.7.23-1.1.mga3
puppet3-3.2.4-1.1.mga3
puppet3-server-3.2.4-1.1.mga3
vim-puppet3-3.2.4-1.1.mga3
emacs-puppet3-3.2.4-1.1.mga3

from SRPMS:
puppet-2.7.23-1.1.mga3.src.rpm
puppet3-3.2.4-1.1.mga3.src.rpm
Comment 4 David Walser 2014-01-10 18:31:37 CET 
Guillaume, does the regression mentioned in Ubuntu's updated advisory affect us?
http://www.ubuntu.com/usn/usn-2077-2/
Comment 5 Guillaume Rousse 2014-01-12 19:17:18 CET 
We are, indeed. I just submitted updated packages in updates_testing.
Comment 6 David Walser 2014-01-12 19:32:12 CET 
Thanks Guillaume!

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.2.mga3
puppet-server-2.7.23-1.2.mga3
vim-puppet-2.7.23-1.2.mga3
emacs-puppet-2.7.23-1.2.mga3
puppet3-3.2.4-1.2.mga3
puppet3-server-3.2.4-1.2.mga3
vim-puppet3-3.2.4-1.2.mga3
emacs-puppet3-3.2.4-1.2.mga3

from SRPMS:
puppet-2.7.23-1.2.mga3.src.rpm
puppet3-3.2.4-1.2.mga3.src.rpm
Comment 7 claire robinson 2014-02-12 17:07:06 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5 onwards

Whiteboard: (none) => has_procedure

Comment 8 claire robinson 2014-02-12 17:09:07 CET 
See also: https://bugs.mageia.org/show_bug.cgi?id=11019#c10
Comment 9 Thomas Backlund 2014-02-16 22:43:00 CET 
puppet-2.7.23 now running on Mageia x86_64 infra, no problems so far

CC: (none) => tmb

Comment 10 claire robinson 2014-02-19 13:05:21 CET 
Testing complete mga3 32 & 64

Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok

Comment 11 claire robinson 2014-02-19 13:13:38 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2014-02-19 22:54:49 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0084.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:30 CEST

CC: boklm => (none)