Upstream has issued an advisory on April 26: https://puppet.com/security/cve/cve-2016-2785 The issue is resolved in Puppet 4.4.2. I don't know if it affects Mageia 5.
not affected in mga5
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => INVALID
The bug is for Cauldron.
Status: RESOLVED => REOPENEDResolution: INVALID => (none)
CC: (none) => pterjan
Upstream has issued an advisory on May 11: https://puppet.com/security/cve/cve-2017-2295 The issue is resolved in Puppet 4.10.1. Mageia 5 appears to be affected by this one. Debian has issued an advisory for this on May 25: https://www.debian.org/security/2017/dsa-3862
Whiteboard: (none) => MGA5TOOSummary: puppet new security issue CVE-2016-2785 => puppet new security issues CVE-2016-2785 and CVE-2017-2295
Fedora has issued an advisory for CVE-2017-2295 on May 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MHVQ25R6UFHFJ7NXHYLNBG3BQ7M57THN/
RedHat says they're not affected by CVE-2016-2785, but the reason is nonsensical: https://bugzilla.redhat.com/show_bug.cgi?id=1331024#c6 SUSE also says that they're not affected by CVE-2016-2785, with no explanation. Gentoo says that Puppet 3.x is not affected by CVE-2016-2785. I guess we can forget about that CVE? Patch for CVE-2017-2295 for 4.2.1 for Puppet 4.2.1 added in Cauldron. FYI, Fedora has updated Rawhide to 4.10.1, so we can sync that at some point.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patch from Debian added for Mageia 5 to fix CVE-2017-2295. Advisory: ======================== Updated puppet packages fix security vulnerability: It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management system could result in the execution of arbitrary code (CVE-2017-2295). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295 https://puppet.com/security/cve/cve-2017-2295 https://www.debian.org/security/2017/dsa-3862 ======================== Updated packages in core/updates_testing: ======================== puppet-3.6.2-3.1.mga5 puppet-server-3.6.2-3.1.mga5 vim-puppet-3.6.2-3.1.mga5 emacs-puppet-3.6.2-3.1.mga5 from puppet-3.6.2-3.1.mga5.src.rpm
Assignee: thierry.vignaud => qa-bugsSeverity: normal => critical
Minimal testing on x86_64 real hardware and apologies for the lengthy spiel. Puppet is a complex system management tool best described as a "career builder" (wilcal) so all we can do is ensure that it builds and runs. It is written in ruby so you may find it installing ruby packages as well. This system already had those. Quoting an internet site: Open source Puppet helps you describe machine configurations in a declarative language, bring machines to a desired state, and keep them there through automation. $ sudo systemctl enable puppet $ sudo systemctl start puppet $ systemctl status puppet ● puppet.service - Puppet agent Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled) Active: active (running) since Tue 2017-06-06 15:56:11 BST; 3h 43min ago Main PID: 26909 (puppet) CGroup: /system.slice/puppet.service └─26909 /usr/bin/ruby /usr/bin/puppet agent --no-daemonize A simple introduction at https://dzone.com/articles/puppet-beginners-concept-guide suggest a few commands which show it working. $ puppet --version 3.6.2 $ facter Error: NetworkManager is not running. architecture => x86_64 blockdevice_sda_model => Crucial_CT512MX1 blockdevice_sda_size => 512110190592 blockdevice_sda_vendor => ATA blockdevice_sdb_model => Crucial_CT256MX1 blockdevice_sdb_size => 256060514304 ....................... plus lots more information about your system and hardware. The tutorial also suggests running a scriptlet similar to this: $ puppet apply -e "file{'/tmp/pup': ensure => 'directory'} file{ '/tmp/pup/et': ensure => 'present', content => 'look at me', require => File['/tmp/pup']}" which produces this sort of output: Error: NetworkManager is not running. Notice: Compiled catalog for vega in environment production in 0.09 seconds Notice: Finished catalog run in 0.02 seconds It is easier to create a file containing the quoted code above, calling it mynode.pp; $ cat mynode.pp file{'/tmp/pup': ensure => 'directory'} file{'/tmp/pup/et': ensure => 'present', content => 'look at me', require => File['/tmp/pup']} $ puppet apply mynode.pp Error: NetworkManager is not running. Notice: Compiled catalog for vega in environment production in 0.09 seconds Notice: /Stage[main]/Main/File[/tmp/pup]/ensure: created Notice: /Stage[main]/Main/File[/tmp/pup/et]/ensure: created Notice: Finished catalog run in 0.02 seconds This creates /tmp/pup/ and /tmp/pup/et. ls /tmp/pup et Finally: $ sudo systemctl stop puppet $ rm -rf /tmp/pup Installed the listed packages - comment 6. In the tutorial quoted earlier the puppet-server was not mentioned and trying to start it fails. Unsure what this means - could do with some advice. Restarted the puppet service and used the previous simple commands to show that the basic system was installed and working. All editing done with emacs but syntax highlighting was not apparent even with the shebang line #!/usr/bin/env puppet added to the manifest file mynode.pp. https://github.com/voxpupuli/puppet-mode says; "Just visit Puppet manifests. The major mode is enabled automatically for Puppet manifests with the extension .pp." Everything worked as before. $ cat /tmp/pup/et look at me Giving this the OK within the limitations of the testing.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Similar testing on i586. Advisory committed to svn. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisory MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0156.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED