Re: Puppet: possible arbitrary file overwriting in lenny

To: pkg-puppet-devel@lists.alioth.debian.org, debian-security-tracker@lists.debian.org
Subject: Re: Puppet: possible arbitrary file overwriting in lenny
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 3 Dec 2010 13:07:23 -0500
Message-id: <[🔎] 20101203130723.44ef08ab.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 4CF92AC5.90305@nbs-system.com>
References: <[🔎] 4CF92AC5.90305@nbs-system.com>

On Fri, 03 Dec 2010 18:37:09 +0100, Didier Conchaudron wrote:
> Hi,
> 
> It seems like that puppet package in lenny is not patched against
> CVE-2010-0156.
> According to secunia, there is also a local privileges escalation
> (http://secunia.com/advisories/36967/)
> 
> I don't really the time to investigate and check if lenny version is
> really vulnerable but considering the latest entry in puppet's Changelog
> I assume that no change has been done since early 2009.

According to the security tracker [0],[1], these issues are indeed
unfixed.  They are considered no-dsa, which means that they can/should
be fixed in an SPU upload if there is someone interested in doing the
work but won't be fixed via a DSA.

Mike

[0] http://security-tracker.debian.org/tracker/CVE-2009-3564
[1] http://security-tracker.debian.org/tracker/CVE-2010-0156

Reply to:

References:
- Puppet: possible arbitrary file overwriting in lenny
  - From: Didier Conchaudron <didier.conchaudron@nbs-system.com>

Prev by Date: Puppet: possible arbitrary file overwriting in lenny
Next by Date: ClamAV : two vulnerabilities
Previous by thread: Puppet: possible arbitrary file overwriting in lenny
Next by thread: ClamAV : two vulnerabilities
Index(es):
- Date
- Thread