Announce: Puppet 2.6.18 Available [ Security Release ]
74 views
Skip to first unread message
Moses Mendoza
Mar 12, 2013, 1:33:09 PM3/12/13
to puppet...@googlegroups.com, puppe...@googlegroups.com, puppet-...@googlegroups.com
Puppet 2.6.18 is now available. 2.6.18 addresses several security
vulnerabilities discovered in the 2.6.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1654, CVE-2013-2274, and CVE-2013-2275.
All users of Puppet 2.6.17 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.6.18.
For more information on these vulnerabilities, please visit
http://puppetlabs.com/security, or visit
http://puppetlabs.com/security/cve/cve-2013-1640,
http://puppetlabs.com/security/cve/cve-2013-1652,
http://puppetlabs.com/security/cve/cve-2013-1654,
http://puppetlabs.com/security/cve/cve-2013-2274, and
http://puppetlabs.com/security/cve/cve-2013-2275.
Downloads are available at:
* Source https://downloads.puppetlabs.com/puppet/puppet-2.6.18.tar.gz
RPMs are available at https://yum.puppetlabs.com/el or /fedora
Debs are available at https://apt.puppetlabs.com
See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.6.18:
http://projects.puppetlabs.com/projects/puppet/
## Changelog ##
Andrew Parker (2):
f45cd4b (#14093) Remove unsafe attributes from TemplateWrapper
d9ad70a (#14093) Restore access to the filename in the template
Daniel Pittman (2):
31dad7d (#8858) Refactor tests to use real HTTP objects
906ab92 (#8858) Explicitly set SSL peer verification mode.
Jeff McCune (2):
add9998 (#19151) Reject SSLv2 SSL handshakes and ciphers
16fce8e (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname
Josh Cooper (8):
7648de2 (#19391) Backport Request#remote? method
75a5f7e Run openssl from windows when trying to downgrade master
e617728 Remove unnecessary rubygems require
f07b761 Don't assume puppetbindir is defined
a11a690 Display SSL messages so we can match our regex
bb288aa Don't require openssl client to return 0 on failure
f256c6d Don't assume master supports SSLv2
b166c4f (#19391) Find the catalog for the specified node name
Justin Stoller (2):
b01c728 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
e6b6124 Separate tests for same CVEs into separate files
Matthaus Owens (1):
3ec5d5c Update CHANGELOG, lib/puppet.rb, conf/redhat/puppet.spec
for 2.6.18
Nick Lewis (2):
66249d4 Always read request body when using Rack
bdcf029 Fix order-dependent test failure in rest_authconfig_spec
Patrick Carlisle (4):
ccf2e4c (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
6a7bd25 (#19392) (CVE-2013-1653) Validate instances passed to indirector
ac44d87 (#19392) (CVE-2013-1653) Validate indirection model in
save handler
d5c9a2c (#19392) (CVE-2013-1653) Fix acceptance test to catch
unvalidated model on 2.6
vulnerabilities discovered in the 2.6.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1654, CVE-2013-2274, and CVE-2013-2275.
All users of Puppet 2.6.17 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.6.18.
For more information on these vulnerabilities, please visit
http://puppetlabs.com/security, or visit
http://puppetlabs.com/security/cve/cve-2013-1640,
http://puppetlabs.com/security/cve/cve-2013-1652,
http://puppetlabs.com/security/cve/cve-2013-1654,
http://puppetlabs.com/security/cve/cve-2013-2274, and
http://puppetlabs.com/security/cve/cve-2013-2275.
Downloads are available at:
* Source https://downloads.puppetlabs.com/puppet/puppet-2.6.18.tar.gz
RPMs are available at https://yum.puppetlabs.com/el or /fedora
Debs are available at https://apt.puppetlabs.com
See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.6.18:
http://projects.puppetlabs.com/projects/puppet/
## Changelog ##
Andrew Parker (2):
f45cd4b (#14093) Remove unsafe attributes from TemplateWrapper
d9ad70a (#14093) Restore access to the filename in the template
Daniel Pittman (2):
31dad7d (#8858) Refactor tests to use real HTTP objects
906ab92 (#8858) Explicitly set SSL peer verification mode.
Jeff McCune (2):
add9998 (#19151) Reject SSLv2 SSL handshakes and ciphers
16fce8e (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname
Josh Cooper (8):
7648de2 (#19391) Backport Request#remote? method
75a5f7e Run openssl from windows when trying to downgrade master
e617728 Remove unnecessary rubygems require
f07b761 Don't assume puppetbindir is defined
a11a690 Display SSL messages so we can match our regex
bb288aa Don't require openssl client to return 0 on failure
f256c6d Don't assume master supports SSLv2
b166c4f (#19391) Find the catalog for the specified node name
Justin Stoller (2):
b01c728 Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
e6b6124 Separate tests for same CVEs into separate files
Matthaus Owens (1):
3ec5d5c Update CHANGELOG, lib/puppet.rb, conf/redhat/puppet.spec
for 2.6.18
Nick Lewis (2):
66249d4 Always read request body when using Rack
bdcf029 Fix order-dependent test failure in rest_authconfig_spec
Patrick Carlisle (4):
ccf2e4c (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
6a7bd25 (#19392) (CVE-2013-1653) Validate instances passed to indirector
ac44d87 (#19392) (CVE-2013-1653) Validate indirection model in
save handler
d5c9a2c (#19392) (CVE-2013-1653) Fix acceptance test to catch
unvalidated model on 2.6
Reply all
Reply to author
Forward
0 new messages