Announce: Puppet Server 0.2.1 Available [Security Release]
30 views
Skip to first unread message
Matthaus Owens
Sep 29, 2014, 7:30:07 PM9/29/14
to Puppet Users, puppe...@googlegroups.com, puppet-...@googlegroups.com
Puppet Server 0.2.1 is a security release. This release addresses
CVE-2014-7170. All users of Puppet Server are encouraged to upgrade as
soon as possible.
** CVE-2014-7170 **
Local information leakage
Due to a packaging bug[1], there is a window between package
installation/upgrade and service start where privileged data is
accessible to non-privileged local users.
CVSS v2 Score: 2.0 (low severity) [2]
CVSS v2 Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C)
Thanks to Dominic Cleal for responsibly disclosing this issue to us.
Reminder:
As the version number 0.2.1 should imply, Puppet Server is not
production ready (yet), but please do try it out in your favorite
sandbox. Additionally, the API will not be considered fully stable
until Puppet Server reaches 1.0.0.
Install Puppet Server from packages:
https://github.com/puppetlabs/puppet-server/blob/puppet-server-0.2.1/documentation/install_from_packages.markdown
Submit issues to:
https://tickets.puppetlabs.com/browse/SERVER
Source:
https://github.com/puppetlabs/puppet-server
[1] - https://tickets.puppetlabs.com/browse/SERVER-9
[2] - http://nvd.nist.gov/cvss.cfm
--
Matthaus Owens
Puppet Labs
Join us at PuppetConf 2014, September 20-24 in San Francisco -
www.puppetconf.com
CVE-2014-7170. All users of Puppet Server are encouraged to upgrade as
soon as possible.
** CVE-2014-7170 **
Local information leakage
Due to a packaging bug[1], there is a window between package
installation/upgrade and service start where privileged data is
accessible to non-privileged local users.
CVSS v2 Score: 2.0 (low severity) [2]
CVSS v2 Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C)
Thanks to Dominic Cleal for responsibly disclosing this issue to us.
Reminder:
As the version number 0.2.1 should imply, Puppet Server is not
production ready (yet), but please do try it out in your favorite
sandbox. Additionally, the API will not be considered fully stable
until Puppet Server reaches 1.0.0.
Install Puppet Server from packages:
https://github.com/puppetlabs/puppet-server/blob/puppet-server-0.2.1/documentation/install_from_packages.markdown
Submit issues to:
https://tickets.puppetlabs.com/browse/SERVER
Source:
https://github.com/puppetlabs/puppet-server
[1] - https://tickets.puppetlabs.com/browse/SERVER-9
[2] - http://nvd.nist.gov/cvss.cfm
--
Matthaus Owens
Puppet Labs
Join us at PuppetConf 2014, September 20-24 in San Francisco -
www.puppetconf.com
Reply all
Reply to author
Forward
0 new messages