SUSE has issued an advisory on April 21: http://lists.suse.com/pipermail/sle-security-updates/2020-April/006721.html The issue is fixed upstream in 6.13.0. It looks like SUSE made a patch to highlight and issue a warning for a configuration that needs to be changed to mitigate this. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Puppet has no registered maintainer, nor any consistent committer. Hence assigning this globally.
Assignee: bugsquad => pkg-bugs
RedHat has issued an advisory on October 27: https://access.redhat.com/errata/RHSA-2020:4366 It fixes this issue and two others in Puppet, CVE-2018-11751 (fixed upstream in 6.4.0) and CVE-2020-7943 (fixed upstream in 6.10.1). For the latter, RedHat thinks they identified the commit that fixed it: https://bugzilla.redhat.com/show_bug.cgi?id=1828486#c4
Severity: normal => criticalSummary: puppet new security issue CVE-2020-7942 => puppet new security issues CVE-2018-11751 and CVE-2020-794[23]
CC: (none) => zombie_ryushuCVE: (none) => CVE-2020-7942URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2020-7942
we updated cauldron to puppet 7.1.0
CC: (none) => mageiaWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Status comment: (none) => Fixed upstream in 6.13.0
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: NEW => RESOLVED