Date: Mon, 23 Mar 2020 17:34:41 +0000 (UTC) From: =?UTF-8?Q?Romain_Tarti=c3=a8re?= <romain@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r528994 - head/security/vuxml Message-ID: <202003231734.02NHYfxE012513@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: romain Date: Mon Mar 23 17:34:41 2020 New Revision: 528994 URL: https://svnweb.freebsd.org/changeset/ports/528994 Log: Add details for two Puppet-related CVEs Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Mar 23 17:32:22 2020 (r528993) +++ head/security/vuxml/vuln.xml Mon Mar 23 17:34:41 2020 (r528994) @@ -58,6 +58,72 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="36def7ba-6d2b-11ea-b115-643150d3111d"> + <topic>puppetserver and puppetdb -- Puppet Server and PuppetDB may leak sensitive information via metrics API</topic> + <affects> + <package> + <name>puppetdb5</name> + <range><lt>5.2.13</lt></range> + </package> + <package> + <name>puppetdb6</name> + <range><lt>6.9.1</lt></range> + </package> + <package> + <name>puppetserver5</name> + <range><lt>5.3.12</lt></range> + </package> + <package> + <name>puppetserver6</name> + <range><lt>6.9.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Puppetlabs reports:</p> + <blockquote cite="https://puppet.com/security/cve/CVE-2020-7943/">; + <p>Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network.</p> + <p>PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-7943</cvename> + <url>https://puppet.com/security/cve/CVE-2020-7943/</url>; + </references> + <dates> + <discovery>2020-03-10</discovery> + <entry>2020-03-23</entry> + </dates> + </vuln> + + <vuln vid="77687355-52aa-11ea-b115-643150d3111d"> + <topic>puppet6 -- Arbitrary Catalog Retrieval</topic> + <affects> + <package> + <name>puppet6</name> + <range><lt>6.13.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Puppetlabs reports:</p> + <blockquote cite="https://puppet.com/security/cve/CVE-2020-7942/">; + <p>Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master.</p> + <p>Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-7942</cvename> + <url>https://puppet.com/security/cve/CVE-2020-7942/</url>; + </references> + <dates> + <discovery>2020-02-18</discovery> + <entry>2020-03-23</entry> + </dates> + </vuln> + <vuln vid="6b90acba-6a0a-11ea-92ab-00163e433440"> <topic>FreeBSD -- Kernel memory disclosure with nested jails</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003231734.02NHYfxE012513>