lp:ubuntu/lucid-security/puppet
- Get this branch:
- bzr branch lp:ubuntu/lucid-security/puppet
Branch merges
Branch information
Recent revisions
- 40. By Marc Deslauriers
-
* SECURITY UPDATE: multiple July 2012 security issues
- Backported from upstream patch for 2.6.4.
- CVE-2012-3864: arbitrary file read on master from authenticated
clients
- CVE-2012-3865: arbitrary file delete or denial of service on master
from authenticated clients
- CVE-2012-3867: insufficient input validation for agent cert hostnames - 39. By Tyler Hicks
-
* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
appdmg and pkgdmg providers
- lib/puppet/provider/ package/ {appdmg. rb,pkgdmg. rb}: Use mktmpdir when
downloading packages. Based on upstream patch.
- CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
- lib/puppet/network/ http/api/ v1.rb: Fix for bucket_path security
vulnerability. Based on upstream patch.
- CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
- lib/puppet/network/ formats. rb: Removed text/marshal support. Based on
upstream patch.
- CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
- lib/puppet/network/ http/api/ v1.rb: Fix for bucket_path security
vulnerability. Based on upstream patch.
- CVE-2012-1988
* spec/unit/property/ keyvalue. rb: Fix testsuite failure caused by hash
randomization in Ruby. Based on upstream patch.
- 765036c707a29077107674ad5c6277 df6e637b28 - 38. By Jamie Strandboge
-
* SECURITY UPDATE: correctly drop group privileges and properly handle
symlinks with Klogin. Based on following upstream patches:
- 7df0533f93f229de72694148da0ebf d9e1e831c9
- 4ec03b81041c25428a32bc2b83d606 ae381e0d53
- f47dd4d3e0aaaa8ebd75b71ef02ce4 41df663f04
- d702377a00988c3ca458fc48adbc63 c4bfcf3164
- ea10b0c487c343d6924951f2da522f 3078093a98
- CVE-2012-1053
- CVE-2012-1054
* debian/rules: update unit tests to remove tc_suidmanager.rb (part of fix
for the above)
- ed0bc14c54018691013fdf6eaa989b c5e49f1a66 - 37. By Marc Deslauriers
-
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
- lib/puppet/{defaults, sslcertificates }.rb: disable certdnsnames
setting and issue a warning if it is used.
- Thanks to upstream for providing the patch.
- CVE-2011-3872 - 36. By Jamie Strandboge
-
* adjust ssh_authorized_
key/parsed. rb: save backup file to filebucket before
dropping privileges. Based on upstream commit:
3f99bd71811be182f9217d727ec0 ca7755eec68d
- http://projects. puppetlabs. com/issues/ 4267
- LP: #865462 - 35. By Jamie Strandboge
-
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- adjust type/k5login.rb to securely open the file before writing to it as
root. Patch from upstream: a4333c110ad084f205605708eaab52 ad243d6c86
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- adjust ssh_authorized_key/parsed. rb to drop privileges before creating
the ssh directory and setting permissions. Patches based on upstream:
ce233aa2a511bf6818f28c2261 44ec5b05a468ee (required for security fix)
e2c1cd5c957a236f89b9e8cb7b 4e4f8769079e8c (security fix)
8d9575775737c08c6cbfdf7f9a 22f2ea4ab21b20 (backported rspec test case)
0aae5a71a8e3b38cd8d7041f5c 40091887c924a8 (fix test when run as root)
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- adjust application/resource. rb to use an unpredictable filename. Patch
from upstream: 21b7192320dbb79a8cfe1fd3e06d0d 399c964c0f
- CVE-2011-3871 - 34. By Jamie Strandboge
-
* SECURITY UPDATE: unauthenticated directory traversal allows writing of
arbitrary files as puppet master (LP: #861182)
- update lib/puppet/indirector. rb, lib/puppet/ indirector/ ssl_file. rb,
lib/puppet/ indirector/ yaml.rb, spec/unit/ indirector/ ssl_file. rb and
spec/unit/indirector /yaml.rb to perform proper input validation.
Patch from upstream (Daniel Pittman <email address hidden>)
6e5a821cbf94b220dfc021ff7e bad0831c60e207
- CVE-2011-3848
- LP: #861182 - 33. By Mathias Gug
-
* Fix init service provider to correctly check the status of services
using upstart jobs (LP: #551544).
* Package spec/ tests so that both test/ and spec/ tests can be run. - 32. By Mathias Gug
-
* Patch from upstream to fix test suite:
+ failures: LP: #532202, LP: #532204, LP: #532205, LP: #532208,
LP: #532209, LP: #532215, LP: #532299, LP: #532300, LP: #532302,
LP: #532202, LP: #532307, LP: #532135, LP: #532138, LP: #532198,
+ errors: LP: #528816, LP: #528817 - 31. By Mathias Gug
-
debian/
puppetmaster. init: Fix init stop action to not fail if the
puppetmaster is already stopped.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/oneiric/puppet