Announce: Puppet 2.7.21 Available [ Security Release ]

Showing 1-1 of 1 messages
Announce: Puppet 2.7.21 Available [ Security Release ] Moses Mendoza 3/12/13 10:33 AM
Puppet 2.7.21 is now available. 2.7.21 addresses several security
vulnerabilities discovered in the 2.7.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and

All users of Puppet 2.7.20 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.7.21.

For more information on these vulnerabilities, please visit, or visit,,,,, and

Downloads are available at:
 * Source

Windows package is available at

RPMs are available at or /fedora

Debs are available at

Mac package is available at

Gems are available via rubygems at or by using `gem
install puppet --version=2.7.21`

See the Verifying Puppet Download section at:

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.21:

## Changelog ##

Andrew Parker (2):
      cf6cf81 (#14093) Remove unsafe attributes from TemplateWrapper
      bd942ec (#14093) Restore access to the filename in the template

Jeff McCune (2):
      be920ac (#19151) Reject SSLv2 SSL handshakes and ciphers
      632e12d (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname

Josh Cooper (8):
      7df884b Fix module tool acceptance test
      0f4ac20 Run openssl from windows when trying to downgrade master
      9cbfb9d Remove unnecessary rubygems require
      70cdc63 Don't assume puppetbindir is defined
      12728c0 Display SSL messages so we can match our regex
      60eebed Don't require openssl client to return 0 on failure
      a1c4abd Don't assume master supports SSLv2
      3ecd376 (#19391) Find the catalog for the specified node name

Justin Stoller (2):
      79b875e Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
      7d62aa0 Separate tests for same CVEs into separate files

Moses Mendoza (2):
      4b0a7e2 Add missing 2.7.20 CHANGELOG entries
      24d45dc Update CHANGELOG, PUPPETVERSION for 2.7.21

Nick Lewis (3):
      f2a3d5c (#19393) Safely load YAML from the network
      a3d3c95 Always read request body when using Rack
      61109fa Fix order-dependent test failure in rest_authconfig_spec

Patrick Carlisle (3):
      516142e (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
      0a7d61f (#19392) (CVE-2013-1653) Validate instances passed to indirector
      c240299 (#19392) Don't validate key for certificate_status

Pieter van de Bruggen (1):
      4a272ea Updating module tool acceptance tests with new expectations.