| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Jan 2014 16:07:16 +0000 From: Salvatore Bonaccorso <carnil@...ian.org> To: debian-security-announce@...ts.debian.org Subject: [SECURITY] [DSA 2831-2] puppet regression update -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2831-2 security@...ian.org http://www.debian.org/security/ Salvatore Bonaccorso January 17, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : puppet Vulnerability : regression Debian-specific: no Debian Bug : 734444 The fix for CVE-2013-4969 contained a regression affecting the default file mode if none is specified on a file resource. The oldstable distribution (squeeze) is not affected by this regression. For the stable distribution (wheezy), this problem has been fixed in version 2.7.23-1~deb7u3. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 3.4.2-1. For reference, the original advisory text follows. An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze9. For the stable distribution (wheezy), this problem has been fixed in version 2.7.23-1~deb7u2. For the testing distribution (jessie), this problem has been fixed in version 3.4.1-1. For the unstable distribution (sid), this problem has been fixed in version 3.4.1-1. We recommend that you upgrade your puppet packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@...ts.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJS2VDIAAoJEAVMuPMTQ89EJDIP/3s1z5/F0jY78IgzvH4smp9z XJp7zWClZgRbHP8OdRPaEFd5EGVfaWR+Utvp0c68fY5dqKsTWGePg8E8PayDYItx 9yABFBfTlorbThWSbd9wLJ4XazcdsAzA4GvFB5VqVoy0DuqMq9un96+F+D/wlngN awnBSJCt+BDEoKrUee6YMVqeHFlMITdC/kYbs+ZkuaQ21YBhO31En27jtE69DrHU HWq5rCywN+0IDpbkJ5RLkGRlya1pGW+j1pSXLyj5tGsOSclZzItkbvoJb0053VnG fDc1Q920ZRplOn3GXvyFkdjLEbTg2JcSVn5veIX1OTZ7KwT0Bp6n+iyqa3j9FdtG fhY78b92Eba7K3hWHhddN72K4mXY0y5W4DDOoK1HLWWo1oq8g+pUSHhSj/WVfFkv xEgJRSb2bsiEiwkMjAWwQGUjuhpna1/nQIiwKayL6EPcjuIa6k0mdgr9+DnHUEZJ Rb1WWyjaRs/15/6Jxcx7BsOy/EpgSq1mvwsLI8nZE4DSHSBj+BGnDojJ3iLXTSL2 yvxZTLa2iCm/+CsLMQTVRvJylxE4Sn7aelOpGPrfdFUBI9YpTmgcDJ7gQ8qcr7Tx Zi4efYc4j89t87U9APIS1uNxSarEULYsNF8V31JDqWR1N6Y65viaH6Hrp9Le3eqr XlcH6Q25UYFJG/57YG1M =aCWc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists