[SECURITY] Fedora 17 Update: puppet-2.7.21-2.fc17

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 30 21:31:30 UTC 2013


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-4187
2013-03-21 23:11:21
--------------------------------------------------------------------------------

Name        : puppet
Product     : Fedora 17
Version     : 2.7.21
Release     : 2.fc17
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

--------------------------------------------------------------------------------
Update Information:

Updates for the security announcements from Puppet Labs on 12-Mar-2013.

https://groups.google.com/group/puppet-announce/t/9200f268f8479e2c

This update also provides backported fixes for a number of issues with ruby-1.9.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 18 2013 Todd Zullinger <tmz at pobox.com> - 2.7.21-2
- Apply upstream fix for fqdn_rand function with ruby-1.9 (#880959)
- Apply upstream fix to make WEBrick more tolerant of old clients (#831303)
- Apply upstream fix to avoid deprecated iconv (#809911)
- Apply upstream fix to avoid class level variables (#809911)
* Wed Mar 13 2013 Michael Stahnke <stahnma at puppetlabs.com> - 2.7.21-1
- Fixes for CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654
- CVE-2013-1655 CVE-2013-2274 CVE-2013-2275
- Remove Ruby 1.9.3 load file patch. It's now upstream
- Remove install permissions patch.  It's now upstream
* Wed Jul 11 2012 Todd Zullinger <tmz at pobox.com> - 2.7.18-1
- Update to 2.7.17, fixes CVE-2012-3864, CVE-2012-3865, CVE-2012-3866,
  CVE-2012-3867
- Improve NetworkManager compatibility, thanks to Orion Poplawski (#532085)
- Preserve timestamps when installing files
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #919770 - CVE-2013-1654 Puppet: SSL protocol downgrade
        https://bugzilla.redhat.com/show_bug.cgi?id=919770
  [ 2 ] Bug #919774 - CVE-2013-1653 Puppet: kick connection HTTP PUT request arbitrary code execution
        https://bugzilla.redhat.com/show_bug.cgi?id=919774
  [ 3 ] Bug #919775 - CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=919775
  [ 4 ] Bug #919783 - CVE-2013-1640 Puppet: catalog request code execution
        https://bugzilla.redhat.com/show_bug.cgi?id=919783
  [ 5 ] Bug #919784 - CVE-2013-1652 Puppet: HTTP GET request catalog retrieval
        https://bugzilla.redhat.com/show_bug.cgi?id=919784
  [ 6 ] Bug #919785 - CVE-2013-2275 Puppet: default auth.conf allows authenticated node to submit a report for any other node
        https://bugzilla.redhat.com/show_bug.cgi?id=919785
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update puppet' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list