lp:ubuntu/oneiric-security/puppet

Created by Ubuntu Package Importer on 2011-10-24 and last modified on 2013-03-11
Get this branch:
bzr branch lp:ubuntu/oneiric-security/puppet
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

59. By Marc Deslauriers on 2013-03-11

* SECURITY UPDATE: Multiple security issues
  - debian/patches/security-mar-2013.patch: upstream patch to fix
    multiple security issues.
  - CVE-2013-1640 - Remote code execution on master from authenticated clients
  - CVE-2013-1652 - Insufficient input validation
  - CVE-2013-1653 - Remote code execution
  - CVE-2013-1654 - Protocol downgrade
  - CVE-2013-1655 - Unauthenticated remote code execution risk
  - CVE-2013-2275 - Incorrect default report ACL

58. By Marc Deslauriers on 2012-07-10

* SECURITY UPDATE: multiple July 2012 security issues
  - debian/patches/2.7.9-Puppet-July-2012-CVE-fixes.patch: fix multiple
    security issues with backported upstream 2.7.9 patch to 2.7.1.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3866: last_run_report.yaml report file is world readable and
    leads to arbitrary file read on master by an agent
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

57. By Tyler Hicks on 2012-04-10

* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
  appdmg and pkgdmg providers
  - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
  - CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
  - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
  - CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
  - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
  - CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
  - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
  - CVE-2012-1988
* SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
  filename
  - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
  - CVE-2012-1989
* debian/patches/fix-unpredictable-hash-ordering-tests.patch: Fix testsuite
  failures caused by hash randomization in Ruby

56. By Jamie Strandboge on 2012-02-16

* SECURITY UPDATE: correctly drop group privileges
  - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
  - CVE-2012-1053
* SECURITY UPDATE: properly handle symlinks with Klogin
  - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
  - CVE-2012-1054

55. By Jamie Strandboge on 2012-02-13

* SECURITY UPDATE: fix access to remote resource when auth.conf is
  missing which was was reintroduced in 2.7.1-1ubuntu1.
  - debian/patches/debian-changes: Pull out change that re-enabled
    remote ralsh by default. It should be disabled.
  - CVE-2011-0528
* debian/patches/fix-orderdependent-certificate-tests.patch: fix CA
  certificate testsuite failures.

54. By Marc Deslauriers on 2011-10-24

* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

53. By Jamie Strandboge on 2011-09-30

* SECURITY UPDATE: k5login can overwrite arbitrary files as root
  - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
    open the file before writing to it as root
  - CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
  permissions on SSH keys
  - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
    to drop privileges before creating the ssh directory and setting
    permissions
  - CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
  - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
    use an unpredictable filename
  - CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
  - secure-indirector-file-backed-terminus-base-cla.patch: Since the
    indirector file backed terminus base class is only used by the test
    suite, remove it and update test cases to use a continuing class.

52. By Jamie Strandboge on 2011-09-28

* SECURITY UPDATE: unauthenticated directory traversal allows writing of
  arbitrary files as puppet master
  - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
    lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
    spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
    perform proper input validation.
  - CVE-2011-3848
  - LP: #861182

51. By Chuck Short on 2011-07-25

* Merge from debian unstable. Remaining changes:
  - debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
    set the location of the CRL in apache2 configuration. Fix apache2
    configuration on upgrade as well (LP: #641001)
  - move all puppet dependencies to puppet-common since all the code
    actually located in puppet-common.
  - move libagueas from a recommend to a dependency.

50. By Chuck Short on 2011-05-02

* Merge from debian unstable. Remaining changes:
  - debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
    set the location of the CRL in apache2 configuration. Fix apache2
    configuration on upgrade as well (LP: #641001)
  - move all puppet dependencies to puppet-common since all the code
    actually located in puppet-common.
  - move libagueas from a recommend to a dependency.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/precise/puppet
This branch contains Public information 
Everyone can see this information.

Subscribers