From owner-svn-ports-head@FreeBSD.ORG  Wed Mar 13 03:35:56 2013
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 019CB238;
 Wed, 13 Mar 2013 03:35:56 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id D9D5EDB9;
 Wed, 13 Mar 2013 03:35:55 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2D3Zto8052419;
 Wed, 13 Mar 2013 03:35:55 GMT (envelope-from swills@svn.freebsd.org)
Received: (from swills@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2D3ZsIl052411;
 Wed, 13 Mar 2013 03:35:54 GMT (envelope-from swills@svn.freebsd.org)
Message-Id: <201303130335.r2D3ZsIl052411@svn.freebsd.org>
From: Steve Wills <swills@FreeBSD.org>
Date: Wed, 13 Mar 2013 03:35:54 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r314019 - in head: security/vuxml sysutils/puppet
 sysutils/puppet27
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 03:35:56 -0000

Author: swills
Date: Wed Mar 13 03:35:54 2013
New Revision: 314019
URL: http://svnweb.freebsd.org/changeset/ports/314019

Log:
  - Update puppet to 3.1.1 resolving multiple security issues
  - Update puppet27 to 2.7.21 resolving multiple security issues
  - Document multiple puppet security issues
  
  Security:	cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c

Modified:
  head/security/vuxml/vuln.xml
  head/sysutils/puppet/Makefile
  head/sysutils/puppet/distinfo
  head/sysutils/puppet27/Makefile
  head/sysutils/puppet27/distinfo   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/security/vuxml/vuln.xml	Wed Mar 13 03:35:54 2013	(r314019)
@@ -51,6 +51,164 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c">
+    <topic>puppet27 and puppet -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>puppet</name>
+	<range><ge>3.0</ge><lt>3.1.1</lt></range>
+      </package>
+      <package>
+	<name>puppet27</name>
+	<range><ge>2.7</ge><lt>2.7.21</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Moses Mendoza reports:</p>
+	<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to cause the master to execute arbitrary code while responding to a
+	     catalog request. Specifically, in order to exploit the
+	     vulnerability, the puppet master must be made to invoke the
+             'template' or 'inline_template' functions during catalog compilation.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to connect to a puppet master and perform unauthorized actions.
+	     Specifically, given a valid certificate and private key, an agent
+	     could retrieve catalogs from the master that it is not authorized
+	     to access or it could poison the puppet master's caches for any
+	     puppet-generated data that supports caching such as catalogs,
+	     nodes, facts, and resources. The extent and severity of this
+	     vulnerability varies depending on the specific configuration of the
+	     master: for example, whether it is using storeconfigs or not, which
+             version, whether it has access to the cache or not, etc.
+          </p>
+	  <p>A vulnerability has been found in Puppet which could allow
+	     authenticated clients to execute arbitrary code on agents that have
+	     been configured to accept kick connections. This vulnerability is
+	     not present in the default configuration of puppet agents, but if
+	     they have been configured to listen for incoming connections
+	     ('listen=true'), and the agent's auth.conf has been configured to
+	     allow access to the `run` REST endpoint, then a client could
+	     construct an HTTP request which could execute arbitrary code. The
+	     severity of this issue is exacerbated by the fact that puppet
+             agents typically run as root.
+          </p>
+	  <p>A vulnerability has been found in Puppet that could allow a client
+	     negotiating a connection to a master to downgrade the master's
+	     SSL protocol to SSLv2. This protocol has been found to contain
+	     design weaknesses. This issue only affects systems running older
+	     versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
+             SSLv2.
+          </p>
+	  <p>A vulnerability found in Puppet could allow unauthenticated clients
+	     to send requests to the puppet master which would cause it to load
+	     code unsafely. While there are no reported exploits, this
+	     vulnerability could cause issues like those described in Rails
+	     CVE-2013-0156. This vulnerability only affects puppet masters
+             running Ruby 1.9.3 and higher.
+          </p>
+	  <p>This vulnerability affects puppet masters 0.25.0 and above. By
+	     default, auth.conf allows any authenticated node to submit a report
+	     for any other node. This can cause issues with compliance. The
+             defaults in auth.conf have been changed.
+          </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1640</cvename>
+      <cvename>CVE-2013-1652</cvename>
+      <cvename>CVE-2013-1653</cvename>
+      <cvename>CVE-2013-1654</cvename>
+      <cvename>CVE-2013-1655</cvename>
+      <cvename>CVE-2013-2275</cvename>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1653/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1655/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
+      <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E</url>
+      <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw</url>
+    </references>
+    <dates>
+      <discovery>2013-03-13</discovery>
+      <entry>2013-03-13</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="04042f95-14b8-4382-a8b9-b30e365776cf">
+    <topic>puppet26 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>puppet26</name>
+	<range><ge>2.6</ge><lt>2.6.18</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Moses Mendoza reports:</p>
+	<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to cause the master to execute arbitrary code while responding to a
+	     catalog request. Specifically, in order to exploit the
+	     vulnerability, the puppet master must be made to invoke the
+             'template' or 'inline_template' functions during catalog compilation.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to connect to a puppet master and perform unauthorized actions.
+	     Specifically, given a valid certificate and private key, an agent
+	     could retrieve catalogs from the master that it is not authorized
+	     to access or it could poison the puppet master's caches for any
+	     puppet-generated data that supports caching such as catalogs,
+	     nodes, facts, and resources. The extent and severity of this
+	     vulnerability varies depending on the specific configuration of the
+	     master: for example, whether it is using storeconfigs or not, which
+             version, whether it has access to the cache or not, etc.
+          </p>
+	  <p>A vulnerability has been found in Puppet that could allow a client
+	     negotiating a connection to a master to downgrade the master's
+	     SSL protocol to SSLv2. This protocol has been found to contain
+	     design weaknesses. This issue only affects systems running older
+	     versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
+             SSLv2.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to execute arbitrary code on a puppet master that is running in the
+	     default configuration, or an agent with `puppet kick` enabled.
+	     Specifically, a properly authenticated and connected puppet agent
+	     could be made to construct an HTTP PUT request for an authorized
+	     report that actually causes the execution of arbitrary code on the
+             master.
+          </p>
+	  <p>This vulnerability affects puppet masters 0.25.0 and above. By
+	     default, auth.conf allows any authenticated node to submit a report
+	     for any other node. This can cause issues with compliance. The
+             defaults in auth.conf have been changed.
+          </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1640</cvename>
+      <cvename>CVE-2013-1652</cvename>
+      <cvename>CVE-2013-1654</cvename>
+      <cvename>CVE-2013-2274</cvename>
+      <cvename>CVE-2013-2275</cvename>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2274/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
+    </references>
+    <dates>
+      <discovery>2013-03-13</discovery>
+      <entry>2013-03-13</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="68c1f75b-8824-11e2-9996-c48508086173">
     <topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic>
     <affects>

Modified: head/sysutils/puppet/Makefile
==============================================================================
--- head/sysutils/puppet/Makefile	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet/Makefile	Wed Mar 13 03:35:54 2013	(r314019)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	puppet
-PORTVERSION=	3.0.2
-PORTREVISION=	1
+PORTVERSION=	3.1.1
+PORTREVISION=	0
 CATEGORIES=	sysutils
 MASTER_SITES=	http://downloads.puppetlabs.com/puppet/
 
@@ -28,7 +28,7 @@ SUB_LIST=	RUBY=${RUBY}
 
 MANCOMPRESSED=	yes
 MAN5=	puppet.conf.5
-MAN8=	puppet-agent.8 puppet-apply.8 puppet-ca.8 \
+MAN8=	extlookup2hiera.8 puppet-agent.8 puppet-apply.8 puppet-ca.8 \
 	puppet-catalog.8 puppet-cert.8 puppet-certificate.8 \
 	puppet-certificate_request.8 puppet-certificate_revocation_list.8 \
 	puppet-config.8 puppet-describe.8 puppet-device.8 puppet-doc.8 \

Modified: head/sysutils/puppet/distinfo
==============================================================================
--- head/sysutils/puppet/distinfo	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet/distinfo	Wed Mar 13 03:35:54 2013	(r314019)
@@ -1,2 +1,2 @@
-SHA256 (puppet-3.0.2.tar.gz) = e4d73ae9953764b0c70c1327c9105ec9a17f03b33d50e622611491c886796d6b
-SIZE (puppet-3.0.2.tar.gz) = 1534566
+SHA256 (puppet-3.1.1.tar.gz) = 4401f6388bb96b1301a107f247af6fa558127d78467bb5cef1a1e0ff66b4463d
+SIZE (puppet-3.1.1.tar.gz) = 1587190

Modified: head/sysutils/puppet27/Makefile
==============================================================================
--- head/sysutils/puppet27/Makefile	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet27/Makefile	Wed Mar 13 03:35:54 2013	(r314019)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	puppet
-PORTVERSION=	2.7.20
+PORTVERSION=	2.7.21
 CATEGORIES=	sysutils
 MASTER_SITES=	http://downloads.puppetlabs.com/puppet/
 

Modified: head/sysutils/puppet27/distinfo
==============================================================================
--- head/sysutils/puppet27/distinfo	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet27/distinfo	Wed Mar 13 03:35:54 2013	(r314019)
@@ -1,2 +1,2 @@
-SHA256 (puppet-2.7.20.tar.gz) = 77d39513261bd38322b04aef5002c134de73e40343684cdff5459ab33703fafb
-SIZE (puppet-2.7.20.tar.gz) = 1982220
+SHA256 (puppet-2.7.21.tar.gz) = c18b426457d023e87745f0a98b7dd257f8e94722b5b0d3cafb6048ef2499273f
+SIZE (puppet-2.7.21.tar.gz) = 1998848