Описание
Security update for puppet
Puppet was updated to fix the following security issues:
Security Issues references:
Список пакетов
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server for SAP Applications 11 SP3
Ссылки
- Link for SUSE-RU-2015:0696-1
- E-Mail link for SUSE-RU-2015:0696-1
- SUSE Security Ratings
- SUSE Bug 825878
- SUSE Bug 835122
- SUSE Bug 835848
- SUSE Bug 835891
- SUSE Bug 853982
- SUSE Bug 856843
- SUSE Bug 864082
- SUSE Bug 879913
- SUSE Bug 913078
- SUSE CVE CVE-2013-3567 page
- SUSE CVE CVE-2013-4761 page
- SUSE CVE CVE-2013-4969 page
- SUSE CVE CVE-2014-3248 page
- SUSE CVE CVE-2014-3250 page
Описание
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Затронутые продукты
Ссылки
- CVE-2013-3567
- SUSE Bug 1040151
- SUSE Bug 825878
- SUSE Bug 880224
Описание
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
Затронутые продукты
Ссылки
- CVE-2013-4761
- SUSE Bug 835122
- SUSE Bug 836962
- SUSE Bug 880224
Описание
Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.
Затронутые продукты
Ссылки
- CVE-2013-4969
- SUSE Bug 856843
Описание
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Затронутые продукты
Ссылки
- CVE-2014-3248
- SUSE Bug 879913
Описание
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
Затронутые продукты
Ссылки
- CVE-2014-3250
- SUSE Bug 879913