Announce: Puppet 2.7.5 available [security updates]

16 views

Skip to first unread message

Michael Stahnke

unread,

Sep 30, 2011, 6:51:06 PM9/30/11

to puppet...@googlegroups.com, puppe...@googlegroups.com, puppet-...@googlegroups.com

                                                                     
                                                                     
                                                                     
                                             
Puppet 2.7.5 is a security update release in the 2.7.x branch.

The only changes since 2.7.4 are security fixes for the following vulnerabilities:

* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
* CVE-2011-3869, a symlink attack via a user's .k5login file
* CVE-2011-3871, a privilege escalation attack via the temp file used by puppet resource
* A low-risk file indirector injection attack

WE RECOMMEND UPDATING TO THIS VERSION IMMEDIATELY, as an issue with our ticketing system resulted in information about these issues leaking to a public list prior to their official disclosure.

For more details on these vulnerabilities, follow the links on our security updates page at: http://puppetlabs.com/security

Puppet 2.7.5 is available as of now.  Changelog entries are available below.
More detailed information is available on our Release Notes page.

Release Notes have been updated:
https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.5

This release is available for download at:
http://puppetlabs.com/downloads/puppet/puppet-2.7.5.tar.gz

RPM's are available at http://yum.puppetlabs.com/el

Puppet is also available via Rubygems at http://rubygems.org

See the Verifying Puppet Download section at:
http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.5:
http://projects.puppetlabs.com/projects/puppet/

Commits:

4079ab2 Updating version numbers for 2.7.5
de51f3d (#9832) 2.7.4 StoreConfigs regression with PostgreSQL.
1aa9be5 (#9793) "secure" indirector file backed terminus base class.
d76c309 (#9792) Predictable temporary filename in ralsh.

b29b178 Drop privileges before creating and chmodding SSH keys.
7d4c169 (#9794) k5login can overwrite arbitrary files as root

Reply all

Reply to author

Forward

0 new messages