Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
On Tue, Jul 17, 2012 at 02:47:49PM -0400, Michael Gilbert wrote:
> Data entered into the tracker needs to be reliable. If you have not
> personally checked CVE references for each individual issue against
> the patches present in the tracker, then you cannot claim that the
> problem has been fixed.
>
> Leave those issues <unfixed> until someone who is willing to do the
> appropriate research has time to review the issue.
>
> Otherwise we're leaving issues unfixed and fooling ourselves into
> thinking they are fixed, which is just so incredibly wrong.
>
> Best wishes,
> Mike
I got this information from package maintainer (Stig Sandbeck Mathisen ssm@d.org):
"""
That issue is fixed in the 2.7.18-1 upload to unstable and in
2.6.2-5+squeeze6 upload to stable-security, along with CVE-2012-3864,
CVE-2012-3865, CVE-2012-3866 and CVE-2012-3867 which those uploads
mention.
"""
Which he later corrected in our email discussion:
"""
It was fixed by Puppet Labs in revision ab9150b by deprecating it in
2.7.18 (by logging a warning message), and removing it in 3.x. I was of
the impression that this made it into the squeeze security release, but
I was mistaken. Sorry. :/
Puppet labs sees it as a "low-risk" security vulnerability.
(http://puppetlabs.com/security/cve/cve-2012-3408/).
In order to be vulnerable, you have to:
* Explicitly configure "certname=<ipaddress>" in puppet.conf. The
default is the fully qualified domain name.
* Allow others access to the network your agent runs on, as well as
taking its IP address, or using man-in-the-middle techniques to
impersonate this IP address.
"""
I could verify every issue by myself, but is that really needed in cases where package maintainer gives this information as some issues are very time consuming to verify? This was a human mistake and I am sorry. I hope trying to update security tracker and report bugs is not incredibly wrong. I asked from #debian-security how to go forward with this case as DSA did not contain CVE-2012-3408 and were following those instructions.
- Henri Salo
Reply to: