svn commit: r314019 - in head: security/vuxml sysutils/puppet sysutils/puppet27

Steve Wills swills at FreeBSD.org
Wed Mar 13 03:35:56 UTC 2013 

Author: swills
Date: Wed Mar 13 03:35:54 2013
New Revision: 314019
URL: http://svnweb.freebsd.org/changeset/ports/314019

Log:
  - Update puppet to 3.1.1 resolving multiple security issues
  - Update puppet27 to 2.7.21 resolving multiple security issues
  - Document multiple puppet security issues
  
  Security:	cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c

Modified:
  head/security/vuxml/vuln.xml
  head/sysutils/puppet/Makefile
  head/sysutils/puppet/distinfo
  head/sysutils/puppet27/Makefile
  head/sysutils/puppet27/distinfo   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/security/vuxml/vuln.xml	Wed Mar 13 03:35:54 2013	(r314019)
@@ -51,6 +51,164 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c">
+    <topic>puppet27 and puppet -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>puppet</name>
+	<range><ge>3.0</ge><lt>3.1.1</lt></range>
+      </package>
+      <package>
+	<name>puppet27</name>
+	<range><ge>2.7</ge><lt>2.7.21</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Moses Mendoza reports:</p>
+	<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to cause the master to execute arbitrary code while responding to a
+	     catalog request. Specifically, in order to exploit the
+	     vulnerability, the puppet master must be made to invoke the
+             'template' or 'inline_template' functions during catalog compilation.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to connect to a puppet master and perform unauthorized actions.
+	     Specifically, given a valid certificate and private key, an agent
+	     could retrieve catalogs from the master that it is not authorized
+	     to access or it could poison the puppet master's caches for any
+	     puppet-generated data that supports caching such as catalogs,
+	     nodes, facts, and resources. The extent and severity of this
+	     vulnerability varies depending on the specific configuration of the
+	     master: for example, whether it is using storeconfigs or not, which
+             version, whether it has access to the cache or not, etc.
+          </p>
+	  <p>A vulnerability has been found in Puppet which could allow
+	     authenticated clients to execute arbitrary code on agents that have
+	     been configured to accept kick connections. This vulnerability is
+	     not present in the default configuration of puppet agents, but if
+	     they have been configured to listen for incoming connections
+	     ('listen=true'), and the agent's auth.conf has been configured to
+	     allow access to the `run` REST endpoint, then a client could
+	     construct an HTTP request which could execute arbitrary code. The
+	     severity of this issue is exacerbated by the fact that puppet
+             agents typically run as root.
+          </p>
+	  <p>A vulnerability has been found in Puppet that could allow a client
+	     negotiating a connection to a master to downgrade the master's
+	     SSL protocol to SSLv2. This protocol has been found to contain
+	     design weaknesses. This issue only affects systems running older
+	     versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
+             SSLv2.
+          </p>
+	  <p>A vulnerability found in Puppet could allow unauthenticated clients
+	     to send requests to the puppet master which would cause it to load
+	     code unsafely. While there are no reported exploits, this
+	     vulnerability could cause issues like those described in Rails
+	     CVE-2013-0156. This vulnerability only affects puppet masters
+             running Ruby 1.9.3 and higher.
+          </p>
+	  <p>This vulnerability affects puppet masters 0.25.0 and above. By
+	     default, auth.conf allows any authenticated node to submit a report
+	     for any other node. This can cause issues with compliance. The
+             defaults in auth.conf have been changed.
+          </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1640</cvename>
+      <cvename>CVE-2013-1652</cvename>
+      <cvename>CVE-2013-1653</cvename>
+      <cvename>CVE-2013-1654</cvename>
+      <cvename>CVE-2013-1655</cvename>
+      <cvename>CVE-2013-2275</cvename>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1653/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1655/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
+      <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E</url>
+      <url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw</url>
+    </references>
+    <dates>
+      <discovery>2013-03-13</discovery>
+      <entry>2013-03-13</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="04042f95-14b8-4382-a8b9-b30e365776cf">
+    <topic>puppet26 -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>puppet26</name>
+	<range><ge>2.6</ge><lt>2.6.18</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Moses Mendoza reports:</p>
+	<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to cause the master to execute arbitrary code while responding to a
+	     catalog request. Specifically, in order to exploit the
+	     vulnerability, the puppet master must be made to invoke the
+             'template' or 'inline_template' functions during catalog compilation.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to connect to a puppet master and perform unauthorized actions.
+	     Specifically, given a valid certificate and private key, an agent
+	     could retrieve catalogs from the master that it is not authorized
+	     to access or it could poison the puppet master's caches for any
+	     puppet-generated data that supports caching such as catalogs,
+	     nodes, facts, and resources. The extent and severity of this
+	     vulnerability varies depending on the specific configuration of the
+	     master: for example, whether it is using storeconfigs or not, which
+             version, whether it has access to the cache or not, etc.
+          </p>
+	  <p>A vulnerability has been found in Puppet that could allow a client
+	     negotiating a connection to a master to downgrade the master's
+	     SSL protocol to SSLv2. This protocol has been found to contain
+	     design weaknesses. This issue only affects systems running older
+	     versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
+             SSLv2.
+          </p>
+	  <p>A vulnerability found in Puppet could allow an authenticated client
+	     to execute arbitrary code on a puppet master that is running in the
+	     default configuration, or an agent with `puppet kick` enabled.
+	     Specifically, a properly authenticated and connected puppet agent
+	     could be made to construct an HTTP PUT request for an authorized
+	     report that actually causes the execution of arbitrary code on the
+             master.
+          </p>
+	  <p>This vulnerability affects puppet masters 0.25.0 and above. By
+	     default, auth.conf allows any authenticated node to submit a report
+	     for any other node. This can cause issues with compliance. The
+             defaults in auth.conf have been changed.
+          </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1640</cvename>
+      <cvename>CVE-2013-1652</cvename>
+      <cvename>CVE-2013-1654</cvename>
+      <cvename>CVE-2013-2274</cvename>
+      <cvename>CVE-2013-2275</cvename>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2274/</url>
+      <url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
+    </references>
+    <dates>
+      <discovery>2013-03-13</discovery>
+      <entry>2013-03-13</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="68c1f75b-8824-11e2-9996-c48508086173">
     <topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic>
     <affects>

Modified: head/sysutils/puppet/Makefile
==============================================================================
--- head/sysutils/puppet/Makefile	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet/Makefile	Wed Mar 13 03:35:54 2013	(r314019)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	puppet
-PORTVERSION=	3.0.2
-PORTREVISION=	1
+PORTVERSION=	3.1.1
+PORTREVISION=	0
 CATEGORIES=	sysutils
 MASTER_SITES=	http://downloads.puppetlabs.com/puppet/
 
@@ -28,7 +28,7 @@ SUB_LIST=	RUBY=${RUBY}
 
 MANCOMPRESSED=	yes
 MAN5=	puppet.conf.5
-MAN8=	puppet-agent.8 puppet-apply.8 puppet-ca.8 \
+MAN8=	extlookup2hiera.8 puppet-agent.8 puppet-apply.8 puppet-ca.8 \
 	puppet-catalog.8 puppet-cert.8 puppet-certificate.8 \
 	puppet-certificate_request.8 puppet-certificate_revocation_list.8 \
 	puppet-config.8 puppet-describe.8 puppet-device.8 puppet-doc.8 \

Modified: head/sysutils/puppet/distinfo
==============================================================================
--- head/sysutils/puppet/distinfo	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet/distinfo	Wed Mar 13 03:35:54 2013	(r314019)
@@ -1,2 +1,2 @@
-SHA256 (puppet-3.0.2.tar.gz) = e4d73ae9953764b0c70c1327c9105ec9a17f03b33d50e622611491c886796d6b
-SIZE (puppet-3.0.2.tar.gz) = 1534566
+SHA256 (puppet-3.1.1.tar.gz) = 4401f6388bb96b1301a107f247af6fa558127d78467bb5cef1a1e0ff66b4463d
+SIZE (puppet-3.1.1.tar.gz) = 1587190

Modified: head/sysutils/puppet27/Makefile
==============================================================================
--- head/sysutils/puppet27/Makefile	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet27/Makefile	Wed Mar 13 03:35:54 2013	(r314019)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	puppet
-PORTVERSION=	2.7.20
+PORTVERSION=	2.7.21
 CATEGORIES=	sysutils
 MASTER_SITES=	http://downloads.puppetlabs.com/puppet/
 

Modified: head/sysutils/puppet27/distinfo
==============================================================================
--- head/sysutils/puppet27/distinfo	Wed Mar 13 03:23:04 2013	(r314018)
+++ head/sysutils/puppet27/distinfo	Wed Mar 13 03:35:54 2013	(r314019)
@@ -1,2 +1,2 @@
-SHA256 (puppet-2.7.20.tar.gz) = 77d39513261bd38322b04aef5002c134de73e40343684cdff5459ab33703fafb
-SIZE (puppet-2.7.20.tar.gz) = 1982220
+SHA256 (puppet-2.7.21.tar.gz) = c18b426457d023e87745f0a98b7dd257f8e94722b5b0d3cafb6048ef2499273f
+SIZE (puppet-2.7.21.tar.gz) = 1998848

More information about the svn-ports-all mailing list