Puppet 2.7.21 is now available. 2.7.21 addresses several security
vulnerabilities discovered in the 2.7.x line of Puppet. These
vulnerabilities have been assigned Mitre CVE numbers CVE-2013-1640,
CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655 and
CVE-2013-2275.
All users of Puppet 2.7.20 and earlier who cannot upgrade to the
current version of Puppet, 3.1.1, are strongly encouraged to upgrade
to 2.7.21.
For more information on these vulnerabilities, please visit
http://puppetlabs.com/security, or visit
http://puppetlabs.com/security/cve/cve-2013-1640,
http://puppetlabs.com/security/cve/cve-2013-1652,
http://puppetlabs.com/security/cve/cve-2013-1653,
http://puppetlabs.com/security/cve/cve-2013-1654,
http://puppetlabs.com/security/cve/cve-2013-1655, and
http://puppetlabs.com/security/cve/cve-2013-2275.
Downloads are available at:
* Source
https://downloads.puppetlabs.com/puppet/puppet-2.7.21.tar.gz
Windows package is available at
https://downloads.puppetlabs.com/windows/puppet-2.7.21.msi
RPMs are available at
https://yum.puppetlabs.com/el or /fedora
Debs are available at
https://apt.puppetlabs.com
Mac package is available at
https://downloads.puppetlabs.com/mac/puppet-2.7.21.dmg
Gems are available via rubygems at
https://rubygems.org/downloads/puppet-2.7.21.gem or by using `gem
install puppet --version=2.7.21`
See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.21:
http://projects.puppetlabs.com/projects/puppet/
## Changelog ##
Andrew Parker (2):
cf6cf81 (#14093) Remove unsafe attributes from TemplateWrapper
bd942ec (#14093) Restore access to the filename in the template
Jeff McCune (2):
be920ac (#19151) Reject SSLv2 SSL handshakes and ciphers
632e12d (#19531) (CVE-2013-2275) Only allow report save from the
node matching the certname
Josh Cooper (8):
7df884b Fix module tool acceptance test
0f4ac20 Run openssl from windows when trying to downgrade master
9cbfb9d Remove unnecessary rubygems require
70cdc63 Don't assume puppetbindir is defined
12728c0 Display SSL messages so we can match our regex
60eebed Don't require openssl client to return 0 on failure
a1c4abd Don't assume master supports SSLv2
3ecd376 (#19391) Find the catalog for the specified node name
Justin Stoller (2):
79b875e Acceptance tests for CVEs 2013 (1640, 1652, 1653, 1654,
2274, 2275)
7d62aa0 Separate tests for same CVEs into separate files
Moses Mendoza (2):
4b0a7e2 Add missing 2.7.20 CHANGELOG entries
24d45dc Update CHANGELOG, PUPPETVERSION for 2.7.21
Nick Lewis (3):
f2a3d5c (#19393) Safely load YAML from the network
a3d3c95 Always read request body when using Rack
61109fa Fix order-dependent test failure in rest_authconfig_spec
Patrick Carlisle (3):
516142e (#19391) (CVE-2013-1652) Disallow use_node compiler
parameter for remote requests
0a7d61f (#19392) (CVE-2013-1653) Validate instances passed to indirector
c240299 (#19392) Don't validate key for certificate_status
Pieter van de Bruggen (1):
4a272ea Updating module tool acceptance tests with new expectations.