Announce: Facter 1.7.6 [ Security Release ]

17 views

Skip to first unread message

Melissa Stone

unread,

Jun 16, 2014, 7:26:53 PM6/16/14

to puppet-...@googlegroups.com, puppet...@googlegroups.com, puppe...@googlegroups.com

Facter 1.7.6 is a security fix release in the Facter 1.7 series. The Facter 
1.7 series was incorrectly omitted  from the original security announcement 
for Facter. This release addresses CVE-2014-3248. It has no other bug fixes 
or new features. All users of Facter 1.7.5 and earlier are encouraged to
update to 1.7.6.
 
** CVE-2014-3248 **
Arbitrary Code Execution with Required Social Engineering
An attacker could convince an administrator to unknowingly create and
execute malicious code on platforms with Ruby 1.9.1 and earlier.
CVSSv2 Score: 5.2
Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
 
Affected Facter versions (ruby 1.9.1 and earlier only):
2.x

1.7.x
1.6.x
 
Fixed Facter versions:
1.7.6, 2.0.2
 
See the Release Notes here:
http://docs.puppetlabs.com/facter/1.7/release_notes.html#facter-176
 
For more information on this vulnerability, please visit
https://puppetlabs.com/security/cve/cve-2014-3248
 
To report issues with the release, file a ticket in the "FACT" project
on http://tickets.puppetlabs.com/ and set the "Affects version/s"
field to "1.7.6"

Reply all

Reply to author

Forward

0 new messages