Ubuntu has issued an advisory on August 15:
Here are the upstream advisories:
Steps to Reproduce:
The issues are fixed in puppet 2.7.23 and 3.2.4.
Guillaume has uploaded puppet 3.2.4 in Cauldron.
2.7.23 has been submitted to 2 + 3
Thanks Oden. All that's left is puppet3 in Mageia 3.
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, allows remote attackers to execute arbitrary Ruby
programs from the master via the resource_type service. NOTE: this
vulnerability can only be exploited utilizing unspecified "local file
system access" to the Puppet Master.
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and
3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, installs modules with weak permissions if those
permissions were used when the modules were originally built, which
might allow local users to read or modify those modules depending on
the original permissions.
(In reply to David Walser from comment #3)
> Thanks Oden. All that's left is puppet3 in Mageia 3.
puppet3-3.2.4-1.mga3 has been submitted.
Updated puppet and puppet3 packages fix security vulnerabilities:
It was discovered that Puppet incorrectly handled the resource_type service. A
local attacker on the master could use this issue to execute arbitrary Ruby
It was discovered that Puppet incorrectly handled permissions on the modules it
installed. Modules could be installed with the permissions that existed when
they were built, possibly exposing them to a local attacker (CVE-2013-4956).
Updated packages in core/updates_testing:
No PoC's. Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5
Advisory 11019.adv uploaded to svn.
Testing mga3 32 & 64
Testing complete mga3 32 & 64
Followed the procedure to serve a file (/etc/motd) in each direction with puppet, then removed puppet, deleted /var/lib/puppet and repeated the tests for puppet3
See here for the different syntax in fileserver.conf for puppet3
You may want to echo "" > /etc/motd when finished testing or you'll see the test text whenever you log in with ssh.
MGA2TOO has_procedure =>
MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 32 & 64
Could sysadmin please push from 2 & 3 core/updates_testing to updates.
MGA2TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-okCC: