Announce: MCollective 2.5.3 [Security and Bug Fix Release]

[Melissa Stone]

MCollective 2.5.3 is a security and bug fix release in the MCollective 2.5 

series. This release addresses CVE-2014-3251. 

** CVE-2014-3251 ** 

The MCollective `aes_security` public key plugin does not correctly
validate certs against the CA. By exploiting this vulnerability within
a race/initialization window, an attacker with local access could
initiate an unauthorized MCollective client connection with a server,
and thus control the mcollective plugins running on that server. This
vulnerability requires a collective be configured to use the
aes_security plugin. Puppet Enterprise and open source MCollective are

not configured to use the plugin and are not vulnerable by default. 

CVSSv2 Score: 3.4 

Vector: AV:L/AC:H/Au:M/C:P/I:N/A:C/E:POC/RL:OF/RC:C 

Affected software versions: 

MCollective (all, not configured by default)

Puppet Enterprise (all, not configured by default)

Fixed software versions: 

MCollective 2.5.3
Puppet Enterprise 3.3.0

For more information on this vulnerability, please visit 

https://puppetlabs.com/security/cve/cve-2014-3251 

Please read through the Release Notes for the full list of changes: 

http://docs.puppetlabs.com/mcollective/releasenotes.html 

To report issues with the release, file a ticket in the "MCO" project on http://tickets.puppetlabs.com/ and set the "Affects version/s" field to "2.5.3"

--

Melissa Stone

Release Engineer, Puppet Labs

Join us at PuppetConf 2014, September 20-24 in San Francisco

Register by July 31st to take advantage of the Early Bird discount —save $249!