Announce: Puppet 2.7.21 Available [ Security Release ]

Skip to first unread message

Moses Mendoza

Mar 12, 2013, 1:33:07 PM3/12/13
Puppet 2.7.21 is now available. 2.7.21 addresses several security
vulnerabilities discovered in the 2.7.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and

All users of Puppet 2.7.20 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.7.21.

For more information on these vulnerabilities, please visit, or visit,,,,, and

Downloads are available at:
* Source

Windows package is available at

RPMs are available at or /fedora

Debs are available at

Mac package is available at

Gems are available via rubygems at or by using `gem
install puppet --version=2.7.21`

See the Verifying Puppet Download section at:

Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.21:

## Changelog ##

Andrew Parker (2):
cf6cf81 (#14093) Remove unsafe attributes from TemplateWrapper
bd942ec (#14093) Restore access to the filename in the template

Jeff McCune (2):
be920ac (#19151) Reject SSLv2 SSL handshakes and ciphers
632e12d (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname

Josh Cooper (8):
7df884b Fix module tool acceptance test
0f4ac20 Run openssl from windows when trying to downgrade master
9cbfb9d Remove unnecessary rubygems require
70cdc63 Don't assume puppetbindir is defined
12728c0 Display SSL messages so we can match our regex
60eebed Don't require openssl client to return 0 on failure
a1c4abd Don't assume master supports SSLv2
3ecd376 (#19391) Find the catalog for the specified node name

Justin Stoller (2):
79b875e Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
7d62aa0 Separate tests for same CVEs into separate files

Moses Mendoza (2):
4b0a7e2 Add missing 2.7.20 CHANGELOG entries
24d45dc Update CHANGELOG, PUPPETVERSION for 2.7.21

Nick Lewis (3):
f2a3d5c (#19393) Safely load YAML from the network
a3d3c95 Always read request body when using Rack
61109fa Fix order-dependent test failure in rest_authconfig_spec

Patrick Carlisle (3):
516142e (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
0a7d61f (#19392) (CVE-2013-1653) Validate instances passed to indirector
c240299 (#19392) Don't validate key for certificate_status

Pieter van de Bruggen (1):
4a272ea Updating module tool acceptance tests with new expectations.
Reply all
Reply to author
0 new messages