Announce: Puppet 2.6.18 Available [ Security Release ]

Showing 1-1 of 1 messages
Announce: Puppet 2.6.18 Available [ Security Release ] Moses Mendoza 3/12/13 10:33 AM
Puppet 2.6.18 is now available. 2.6.18 addresses several security
vulnerabilities discovered in the 2.6.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1654, CVE-2013-2274, and CVE-2013-2275.

All users of Puppet 2.6.17 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.6.18.

For more information on these vulnerabilities, please visit, or visit,,,, and

Downloads are available at:
 * Source

RPMs are available at or /fedora

Debs are available at

See the Verifying Puppet Download section at:

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.6.18:

## Changelog ##

Andrew Parker (2):
      f45cd4b (#14093) Remove unsafe attributes from TemplateWrapper
      d9ad70a (#14093) Restore access to the filename in the template

Daniel Pittman (2):
      31dad7d (#8858) Refactor tests to use real HTTP objects
      906ab92 (#8858) Explicitly set SSL peer verification mode.

Jeff McCune (2):
      add9998 (#19151) Reject SSLv2 SSL handshakes and ciphers
      16fce8e (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname

Josh Cooper (8):
      7648de2 (#19391) Backport Request#remote? method
      75a5f7e Run openssl from windows when trying to downgrade master
      e617728 Remove unnecessary rubygems require
      f07b761 Don't assume puppetbindir is defined
      a11a690 Display SSL messages so we can match our regex
      bb288aa Don't require openssl client to return 0 on failure
      f256c6d Don't assume master supports SSLv2
      b166c4f (#19391) Find the catalog for the specified node name

Justin Stoller (2):
      b01c728 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
      e6b6124 Separate tests for same CVEs into separate files

Matthaus Owens (1):
      3ec5d5c Update CHANGELOG, lib/puppet.rb, conf/redhat/puppet.spec
for 2.6.18

Nick Lewis (2):
      66249d4 Always read request body when using Rack
      bdcf029 Fix order-dependent test failure in rest_authconfig_spec

Patrick Carlisle (4):
      ccf2e4c (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
      6a7bd25 (#19392) (CVE-2013-1653) Validate instances passed to indirector
      ac44d87 (#19392) (CVE-2013-1653) Validate indirection model in
save handler
      d5c9a2c (#19392) (CVE-2013-1653) Fix acceptance test to catch
unvalidated model on 2.6