Ubuntu has issued an advisory on August 15: http://www.ubuntu.com/usn/usn-1928-1/ Here are the upstream advisories: http://puppetlabs.com/security/cve/cve-2013-4761/ http://puppetlabs.com/security/cve/cve-2013-4956/ Reproducible: Steps to Reproduce:
The issues are fixed in puppet 2.7.23 and 3.2.4. Guillaume has uploaded puppet 3.2.4 in Cauldron.
CC: (none) => guillomovitch
2.7.23 has been submitted to 2 + 3
CC: (none) => oe
Thanks Oden. All that's left is puppet3 in Mageia 3.
====================================================== Name: CVE-2013-4761 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130705 Category: Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4761/ Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. ====================================================== Name: CVE-2013-4956 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://puppetlabs.com/security/cve/cve-2013-4956/ Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
(In reply to David Walser from comment #3) > Thanks Oden. All that's left is puppet3 in Mageia 3. puppet3-3.2.4-1.mga3 has been submitted.
Thanks Oden! Advisory: ======================== Updated puppet and puppet3 packages fix security vulnerabilities: It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files (CVE-2013-4761). It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker (CVE-2013-4956). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956 http://puppetlabs.com/security/cve/cve-2013-4761/ http://puppetlabs.com/security/cve/cve-2013-4956/ http://www.ubuntu.com/usn/usn-1928-1/ ======================== Updated packages in core/updates_testing: ======================== puppet-2.7.23-1.mga2 puppet-server-2.7.23-1.mga2 puppet-2.7.23-1.mga3 puppet-server-2.7.23-1.mga3 vim-puppet-2.7.23-1.mga3 emacs-puppet-2.7.23-1.mga3 puppet3-3.2.4-1.mga3 puppet3-server-3.2.4-1.mga3 vim-puppet3-3.2.4-1.mga3 emacs-puppet3-3.2.4-1.mga3 from SRPMS: puppet-2.7.23-1.mga2.src.rpm puppet-2.7.23-1.mga3.src.rpm puppet3-3.2.4-1.mga3.src.rpm
CC: (none) => boklmVersion: Cauldron => 3Assignee: boklm => qa-bugsWhiteboard: (none) => MGA2TOO
No PoC's. Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Advisory 11019.adv uploaded to svn.
CC: (none) => davidwhodgins
Testing mga3 32 & 64
Testing complete mga3 32 & 64 Followed the procedure to serve a file (/etc/motd) in each direction with puppet, then removed puppet, deleted /var/lib/puppet and repeated the tests for puppet3 See here for the different syntax in fileserver.conf for puppet3 https://bugs.mageia.org/show_bug.cgi?id=10568#c13 You may want to echo "" > /etc/motd when finished testing or you'll see the test text whenever you log in with ssh.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 32 & 64 Validating. Could sysadmin please push from 2 & 3 core/updates_testing to updates. Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0259.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CC: boklm => (none)