Date: Wed, 13 Mar 2013 03:35:54 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r314019 - in head: security/vuxml sysutils/puppet sysutils/puppet27 Message-ID: <201303130335.r2D3ZsIl052411@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Wed Mar 13 03:35:54 2013 New Revision: 314019 URL: http://svnweb.freebsd.org/changeset/ports/314019 Log: - Update puppet to 3.1.1 resolving multiple security issues - Update puppet27 to 2.7.21 resolving multiple security issues - Document multiple puppet security issues Security: cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c Modified: head/security/vuxml/vuln.xml head/sysutils/puppet/Makefile head/sysutils/puppet/distinfo head/sysutils/puppet27/Makefile head/sysutils/puppet27/distinfo (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Mar 13 03:23:04 2013 (r314018) +++ head/security/vuxml/vuln.xml Wed Mar 13 03:35:54 2013 (r314019) @@ -51,6 +51,164 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c"> + <topic>puppet27 and puppet -- multiple vulnerabilities</topic> + <affects> + <package> + <name>puppet</name> + <range><ge>3.0</ge><lt>3.1.1</lt></range> + </package> + <package> + <name>puppet27</name> + <range><ge>2.7</ge><lt>2.7.21</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Moses Mendoza reports:</p> + <blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">; + <p>A vulnerability found in Puppet could allow an authenticated client + to cause the master to execute arbitrary code while responding to a + catalog request. Specifically, in order to exploit the + vulnerability, the puppet master must be made to invoke the + 'template' or 'inline_template' functions during catalog compilation. + </p> + <p>A vulnerability found in Puppet could allow an authenticated client + to connect to a puppet master and perform unauthorized actions. + Specifically, given a valid certificate and private key, an agent + could retrieve catalogs from the master that it is not authorized + to access or it could poison the puppet master's caches for any + puppet-generated data that supports caching such as catalogs, + nodes, facts, and resources. The extent and severity of this + vulnerability varies depending on the specific configuration of the + master: for example, whether it is using storeconfigs or not, which + version, whether it has access to the cache or not, etc. + </p> + <p>A vulnerability has been found in Puppet which could allow + authenticated clients to execute arbitrary code on agents that have + been configured to accept kick connections. This vulnerability is + not present in the default configuration of puppet agents, but if + they have been configured to listen for incoming connections + ('listen=true'), and the agent's auth.conf has been configured to + allow access to the `run` REST endpoint, then a client could + construct an HTTP request which could execute arbitrary code. The + severity of this issue is exacerbated by the fact that puppet + agents typically run as root. + </p> + <p>A vulnerability has been found in Puppet that could allow a client + negotiating a connection to a master to downgrade the master's + SSL protocol to SSLv2. This protocol has been found to contain + design weaknesses. This issue only affects systems running older + versions (pre 1.0.0) of openSSL. Newer versions explicitly disable + SSLv2. + </p> + <p>A vulnerability found in Puppet could allow unauthenticated clients + to send requests to the puppet master which would cause it to load + code unsafely. While there are no reported exploits, this + vulnerability could cause issues like those described in Rails + CVE-2013-0156. This vulnerability only affects puppet masters + running Ruby 1.9.3 and higher. + </p> + <p>This vulnerability affects puppet masters 0.25.0 and above. By + default, auth.conf allows any authenticated node to submit a report + for any other node. This can cause issues with compliance. The + defaults in auth.conf have been changed. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-1640</cvename> + <cvename>CVE-2013-1652</cvename> + <cvename>CVE-2013-1653</cvename> + <cvename>CVE-2013-1654</cvename> + <cvename>CVE-2013-1655</cvename> + <cvename>CVE-2013-2275</cvename> + <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1653/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1655/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>; + <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E</url>; + <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw</url>; + </references> + <dates> + <discovery>2013-03-13</discovery> + <entry>2013-03-13</entry> + </dates> + </vuln> + + <vuln vid="04042f95-14b8-4382-a8b9-b30e365776cf"> + <topic>puppet26 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>puppet26</name> + <range><ge>2.6</ge><lt>2.6.18</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Moses Mendoza reports:</p> + <blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">; + <p>A vulnerability found in Puppet could allow an authenticated client + to cause the master to execute arbitrary code while responding to a + catalog request. Specifically, in order to exploit the + vulnerability, the puppet master must be made to invoke the + 'template' or 'inline_template' functions during catalog compilation. + </p> + <p>A vulnerability found in Puppet could allow an authenticated client + to connect to a puppet master and perform unauthorized actions. + Specifically, given a valid certificate and private key, an agent + could retrieve catalogs from the master that it is not authorized + to access or it could poison the puppet master's caches for any + puppet-generated data that supports caching such as catalogs, + nodes, facts, and resources. The extent and severity of this + vulnerability varies depending on the specific configuration of the + master: for example, whether it is using storeconfigs or not, which + version, whether it has access to the cache or not, etc. + </p> + <p>A vulnerability has been found in Puppet that could allow a client + negotiating a connection to a master to downgrade the master's + SSL protocol to SSLv2. This protocol has been found to contain + design weaknesses. This issue only affects systems running older + versions (pre 1.0.0) of openSSL. Newer versions explicitly disable + SSLv2. + </p> + <p>A vulnerability found in Puppet could allow an authenticated client + to execute arbitrary code on a puppet master that is running in the + default configuration, or an agent with `puppet kick` enabled. + Specifically, a properly authenticated and connected puppet agent + could be made to construct an HTTP PUT request for an authorized + report that actually causes the execution of arbitrary code on the + master. + </p> + <p>This vulnerability affects puppet masters 0.25.0 and above. By + default, auth.conf allows any authenticated node to submit a report + for any other node. This can cause issues with compliance. The + defaults in auth.conf have been changed. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-1640</cvename> + <cvename>CVE-2013-1652</cvename> + <cvename>CVE-2013-1654</cvename> + <cvename>CVE-2013-2274</cvename> + <cvename>CVE-2013-2275</cvename> + <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-2274/</url>; + <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>; + </references> + <dates> + <discovery>2013-03-13</discovery> + <entry>2013-03-13</entry> + </dates> + </vuln> + <vuln vid="68c1f75b-8824-11e2-9996-c48508086173"> <topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic> <affects> Modified: head/sysutils/puppet/Makefile ============================================================================== --- head/sysutils/puppet/Makefile Wed Mar 13 03:23:04 2013 (r314018) +++ head/sysutils/puppet/Makefile Wed Mar 13 03:35:54 2013 (r314019) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= puppet -PORTVERSION= 3.0.2 -PORTREVISION= 1 +PORTVERSION= 3.1.1 +PORTREVISION= 0 CATEGORIES= sysutils MASTER_SITES= http://downloads.puppetlabs.com/puppet/ @@ -28,7 +28,7 @@ SUB_LIST= RUBY=${RUBY} MANCOMPRESSED= yes MAN5= puppet.conf.5 -MAN8= puppet-agent.8 puppet-apply.8 puppet-ca.8 \ +MAN8= extlookup2hiera.8 puppet-agent.8 puppet-apply.8 puppet-ca.8 \ puppet-catalog.8 puppet-cert.8 puppet-certificate.8 \ puppet-certificate_request.8 puppet-certificate_revocation_list.8 \ puppet-config.8 puppet-describe.8 puppet-device.8 puppet-doc.8 \ Modified: head/sysutils/puppet/distinfo ============================================================================== --- head/sysutils/puppet/distinfo Wed Mar 13 03:23:04 2013 (r314018) +++ head/sysutils/puppet/distinfo Wed Mar 13 03:35:54 2013 (r314019) @@ -1,2 +1,2 @@ -SHA256 (puppet-3.0.2.tar.gz) = e4d73ae9953764b0c70c1327c9105ec9a17f03b33d50e622611491c886796d6b -SIZE (puppet-3.0.2.tar.gz) = 1534566 +SHA256 (puppet-3.1.1.tar.gz) = 4401f6388bb96b1301a107f247af6fa558127d78467bb5cef1a1e0ff66b4463d +SIZE (puppet-3.1.1.tar.gz) = 1587190 Modified: head/sysutils/puppet27/Makefile ============================================================================== --- head/sysutils/puppet27/Makefile Wed Mar 13 03:23:04 2013 (r314018) +++ head/sysutils/puppet27/Makefile Wed Mar 13 03:35:54 2013 (r314019) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= puppet -PORTVERSION= 2.7.20 +PORTVERSION= 2.7.21 CATEGORIES= sysutils MASTER_SITES= http://downloads.puppetlabs.com/puppet/ Modified: head/sysutils/puppet27/distinfo ============================================================================== --- head/sysutils/puppet27/distinfo Wed Mar 13 03:23:04 2013 (r314018) +++ head/sysutils/puppet27/distinfo Wed Mar 13 03:35:54 2013 (r314019) @@ -1,2 +1,2 @@ -SHA256 (puppet-2.7.20.tar.gz) = 77d39513261bd38322b04aef5002c134de73e40343684cdff5459ab33703fafb -SIZE (puppet-2.7.20.tar.gz) = 1982220 +SHA256 (puppet-2.7.21.tar.gz) = c18b426457d023e87745f0a98b7dd257f8e94722b5b0d3cafb6048ef2499273f +SIZE (puppet-2.7.21.tar.gz) = 1998848
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303130335.r2D3ZsIl052411>