Ubuntu
puppet package

lp:ubuntu/lucid-security/puppet

  1. Lucid (10.04)
  2. lucid-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/lucid-security/puppet
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

40. By Marc Deslauriers

* SECURITY UPDATE: multiple July 2012 security issues
  - Backported from upstream patch for 2.6.4.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

39. By Tyler Hicks

* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
  appdmg and pkgdmg providers
  - lib/puppet/provider/package/{appdmg.rb,pkgdmg.rb}: Use mktmpdir when
    downloading packages. Based on upstream patch.
  - CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
  - lib/puppet/network/http/api/v1.rb: Fix for bucket_path security
    vulnerability. Based on upstream patch.
  - CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
  - lib/puppet/network/formats.rb: Removed text/marshal support. Based on
    upstream patch.
  - CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
  - lib/puppet/network/http/api/v1.rb: Fix for bucket_path security
    vulnerability. Based on upstream patch.
  - CVE-2012-1988
* spec/unit/property/keyvalue.rb: Fix testsuite failure caused by hash
  randomization in Ruby. Based on upstream patch.
  - 765036c707a29077107674ad5c6277df6e637b28

38. By Jamie Strandboge

* SECURITY UPDATE: correctly drop group privileges and properly handle
  symlinks with Klogin. Based on following upstream patches:
  - 7df0533f93f229de72694148da0ebfd9e1e831c9
  - 4ec03b81041c25428a32bc2b83d606ae381e0d53
  - f47dd4d3e0aaaa8ebd75b71ef02ce441df663f04
  - d702377a00988c3ca458fc48adbc63c4bfcf3164
  - ea10b0c487c343d6924951f2da522f3078093a98
  - CVE-2012-1053
  - CVE-2012-1054
* debian/rules: update unit tests to remove tc_suidmanager.rb (part of fix
  for the above)
  - ed0bc14c54018691013fdf6eaa989bc5e49f1a66

37. By Marc Deslauriers

* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - lib/puppet/{defaults,sslcertificates}.rb: disable certdnsnames
    setting and issue a warning if it is used.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

36. By Jamie Strandboge

* adjust ssh_authorized_key/parsed.rb: save backup file to filebucket before
  dropping privileges. Based on upstream commit:
  3f99bd71811be182f9217d727ec0ca7755eec68d
  - http://projects.puppetlabs.com/issues/4267
  - LP: #865462

35. By Jamie Strandboge

* SECURITY UPDATE: k5login can overwrite arbitrary files as root
  - adjust type/k5login.rb to securely open the file before writing to it as
    root. Patch from upstream: a4333c110ad084f205605708eaab52ad243d6c86
  - CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
  permissions on SSH keys
  - adjust ssh_authorized_key/parsed.rb to drop privileges before creating
    the ssh directory and setting permissions. Patches based on upstream:
    ce233aa2a511bf6818f28c226144ec5b05a468ee (required for security fix)
    e2c1cd5c957a236f89b9e8cb7b4e4f8769079e8c (security fix)
    8d9575775737c08c6cbfdf7f9a22f2ea4ab21b20 (backported rspec test case)
    0aae5a71a8e3b38cd8d7041f5c40091887c924a8 (fix test when run as root)
  - CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
  - adjust application/resource.rb to use an unpredictable filename. Patch
    from upstream: 21b7192320dbb79a8cfe1fd3e06d0d399c964c0f
  - CVE-2011-3871

34. By Jamie Strandboge

* SECURITY UPDATE: unauthenticated directory traversal allows writing of
  arbitrary files as puppet master (LP: #861182)
  - update lib/puppet/indirector.rb, lib/puppet/indirector/ssl_file.rb,
    lib/puppet/indirector/yaml.rb, spec/unit/indirector/ssl_file.rb and
    spec/unit/indirector/yaml.rb to perform proper input validation.
    Patch from upstream (Daniel Pittman <email address hidden>)
    6e5a821cbf94b220dfc021ff7ebad0831c60e207
  - CVE-2011-3848
  - LP: #861182

33. By Mathias Gug

* Fix init service provider to correctly check the status of services
  using upstart jobs (LP: #551544).
* Package spec/ tests so that both test/ and spec/ tests can be run.

32. By Mathias Gug

* Patch from upstream to fix test suite:
  + failures: LP: #532202, LP: #532204, LP: #532205, LP: #532208,
  LP: #532209, LP: #532215, LP: #532299, LP: #532300, LP: #532302,
  LP: #532202, LP: #532307, LP: #532135, LP: #532138, LP: #532198,
  + errors: LP: #528816, LP: #528817

31. By Mathias Gug

debian/puppetmaster.init: Fix init stop action to not fail if the
puppetmaster is already stopped.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/oneiric/puppet
This branch contains Public information 
Everyone can see this information.

Subscribers