Ubuntu Security Notice 1928-1 - It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker. Various other issues were also addressed.
cdcde70f2713266a5b8a4ed92df915a902df42405d256a043c28743f4e1f6c7b
==========================================================================
Ubuntu Security Notice USN-1928-1
August 15, 2013
puppet vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Puppet.
Software Description:
- puppet: Centralized configuration management
Details:
It was discovered that Puppet incorrectly handled the resource_type
service. A local attacker on the master could use this issue to execute
arbitrary Ruby files. (CVE-2013-4761)
It was discovered that Puppet incorrectly handled permissions on the
modules it installed. Modules could be installed with the permissions that
existed when they were built, possibly exposing them to a local attacker.
(CVE-2013-4956)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
puppet-common 2.7.18-4ubuntu1.2
Ubuntu 12.10:
puppet-common 2.7.18-1ubuntu1.3
Ubuntu 12.04 LTS:
puppet-common 2.7.11-1ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1928-1
CVE-2013-4761, CVE-2013-4956
Package Information:
https://launchpad.net/ubuntu/+source/puppet/2.7.18-4ubuntu1.2
https://launchpad.net/ubuntu/+source/puppet/2.7.18-1ubuntu1.3
https://launchpad.net/ubuntu/+source/puppet/2.7.11-1ubuntu2.4