Debian has issued an advisory on December 31: http://www.debian.org/security/2013/dsa-2831 Reproducible: Steps to Reproduce:
CC: (none) => boklm, guillomovitchWhiteboard: (none) => MGA3TOO
puppet-3.4.1-1.mga4 uploaded to fix this in Cauldron (by Guillaume).
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
And I just submitted puppet-2.7.23-1.1.mga3 and puppet3-3.2.4-1.1.mga3 in updates_testing for mageia 3. Here is a suggested advisory, taken from the debian announcement: An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system.
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Thanks Guillaume! Advisory: ======================== Updated puppet and puppet3 packages fix security vulnerability: An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system (CVE-2013-4969). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969 http://www.debian.org/security/2013/dsa-2831 ======================== Updated packages in core/updates_testing: ======================== puppet-2.7.23-1.1.mga3 puppet-server-2.7.23-1.1.mga3 vim-puppet-2.7.23-1.1.mga3 emacs-puppet-2.7.23-1.1.mga3 puppet3-3.2.4-1.1.mga3 puppet3-server-3.2.4-1.1.mga3 vim-puppet3-3.2.4-1.1.mga3 emacs-puppet3-3.2.4-1.1.mga3 from SRPMS: puppet-2.7.23-1.1.mga3.src.rpm puppet3-3.2.4-1.1.mga3.src.rpm
Guillaume, does the regression mentioned in Ubuntu's updated advisory affect us? http://www.ubuntu.com/usn/usn-2077-2/
We are, indeed. I just submitted updated packages in updates_testing.
Thanks Guillaume! Updated packages in core/updates_testing: ======================== puppet-2.7.23-1.2.mga3 puppet-server-2.7.23-1.2.mga3 vim-puppet-2.7.23-1.2.mga3 emacs-puppet-2.7.23-1.2.mga3 puppet3-3.2.4-1.2.mga3 puppet3-server-3.2.4-1.2.mga3 vim-puppet3-3.2.4-1.2.mga3 emacs-puppet3-3.2.4-1.2.mga3 from SRPMS: puppet-2.7.23-1.2.mga3.src.rpm puppet3-3.2.4-1.2.mga3.src.rpm
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5 onwards
Whiteboard: (none) => has_procedure
See also: https://bugs.mageia.org/show_bug.cgi?id=11019#c10
puppet-2.7.23 now running on Mageia x86_64 infra, no problems so far
CC: (none) => tmb
Testing complete mga3 32 & 64
Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0084.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CC: boklm => (none)