Bug 12184 - puppet and puppet3 new security issue CVE-2013-4969
: puppet and puppet3 new security issue CVE-2013-4969
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/578598/
: has_procedure advisory mga3-32-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-03 00:03 CET by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: puppet3-3.2.4-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2014-01-03 00:03:14 CET
Debian has issued an advisory on December 31:
http://www.debian.org/security/2013/dsa-2831

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-01-03 12:40:16 CET
puppet-3.4.1-1.mga4 uploaded to fix this in Cauldron (by Guillaume).
Comment 2 Guillaume Rousse 2014-01-03 12:52:18 CET
And I just submitted puppet-2.7.23-1.1.mga3 and puppet3-3.2.4-1.1.mga3 in updates_testing for mageia 3.

Here is a suggested advisory, taken from the debian announcement:

An unsafe use of temporary files was discovered in Puppet, a tool for
centralized configuration management. An attacker can exploit this 
vulnerability and overwrite an arbitrary file in the system.
Comment 3 David Walser 2014-01-03 12:59:27 CET
Thanks Guillaume!

Advisory:
========================

Updated puppet and puppet3 packages fix security vulnerability:

An unsafe use of temporary files was discovered in Puppet, a tool for
centralized configuration management. An attacker can exploit this 
vulnerability and overwrite an arbitrary file in the system (CVE-2013-4969).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969
http://www.debian.org/security/2013/dsa-2831
========================

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.1.mga3
puppet-server-2.7.23-1.1.mga3
vim-puppet-2.7.23-1.1.mga3
emacs-puppet-2.7.23-1.1.mga3
puppet3-3.2.4-1.1.mga3
puppet3-server-3.2.4-1.1.mga3
vim-puppet3-3.2.4-1.1.mga3
emacs-puppet3-3.2.4-1.1.mga3

from SRPMS:
puppet-2.7.23-1.1.mga3.src.rpm
puppet3-3.2.4-1.1.mga3.src.rpm
Comment 4 David Walser 2014-01-10 18:31:37 CET
Guillaume, does the regression mentioned in Ubuntu's updated advisory affect us?
http://www.ubuntu.com/usn/usn-2077-2/
Comment 5 Guillaume Rousse 2014-01-12 19:17:18 CET
We are, indeed. I just submitted updated packages in updates_testing.
Comment 6 David Walser 2014-01-12 19:32:12 CET
Thanks Guillaume!

Updated packages in core/updates_testing:
========================
puppet-2.7.23-1.2.mga3
puppet-server-2.7.23-1.2.mga3
vim-puppet-2.7.23-1.2.mga3
emacs-puppet-2.7.23-1.2.mga3
puppet3-3.2.4-1.2.mga3
puppet3-server-3.2.4-1.2.mga3
vim-puppet3-3.2.4-1.2.mga3
emacs-puppet3-3.2.4-1.2.mga3

from SRPMS:
puppet-2.7.23-1.2.mga3.src.rpm
puppet3-3.2.4-1.2.mga3.src.rpm
Comment 7 claire robinson 2014-02-12 17:07:06 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10568#c5 onwards
Comment 8 claire robinson 2014-02-12 17:09:07 CET
See also: https://bugs.mageia.org/show_bug.cgi?id=11019#c10
Comment 9 Thomas Backlund 2014-02-16 22:43:00 CET
puppet-2.7.23 now running on Mageia x86_64 infra, no problems so far
Comment 10 claire robinson 2014-02-19 13:05:21 CET
Testing complete mga3 32 & 64
Comment 11 claire robinson 2014-02-19 13:13:38 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks
Comment 12 Thomas Backlund 2014-02-19 22:54:49 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0084.html

Note You need to log in before you can comment on or make changes to this bug.