svn commit: r324808 - in head: security/vuxml sysutils/puppet

Brad Davis brd at FreeBSD.org
Fri Aug 16 17:54:43 UTC 2013 

Author: brd (doc committer)
Date: Fri Aug 16 17:54:41 2013
New Revision: 324808
URL: http://svnweb.freebsd.org/changeset/ports/324808

Log:
  - Update puppet to 3.2.4 which fixes CVE-2013-4761 and CVE-2013-4956
  
  Approved by:	swills@
  Security:	2b2f6092-0694-11e3-9e8e-000c29f6ae42

Modified:
  head/security/vuxml/vuln.xml
  head/sysutils/puppet/Makefile
  head/sysutils/puppet/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Aug 16 17:14:16 2013	(r324807)
+++ head/security/vuxml/vuln.xml	Fri Aug 16 17:54:41 2013	(r324808)
@@ -51,6 +51,43 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
+    <topic>puppet -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>puppet</name>
+	<range><ge>2.7</ge><lt>2.7.23</lt></range>
+	<range><ge>3.0</ge><lt>3.2.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Puppet Labs reports:</p>
+	<blockquote cite="http://puppetlabs.com/security/cve/cve-2013-4761/">
+	  <p>By using the `resource_type` service, an attacker could
+	    cause puppet to load arbitrary Ruby files from the puppet
+	    master node's file system. While this behavior is not
+	    enabled by default, `auth.conf` settings could be modified
+	    to allow it. The exploit requires local file system access
+	    to the Puppet Master.</p>
+	  <p>Puppet Module Tool (PMT) did not correctly control
+	    permissions of modules it installed, instead transferring
+	    permissions that existed when the module was built.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-4761</cvename>
+      <cvename>CVE-2013-4956</cvename>
+      <url>http://puppetlabs.com/security/cve/cve-2013-4761/</url>
+      <url>http://puppetlabs.com/security/cve/cve-2013-4956/</url>
+    </references>
+    <dates>
+      <discovery>2013-07-05</discovery>
+      <entry>2013-08-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9a0a892e-05d8-11e3-ba09-000c29784fd1">
     <topic>lcms2 -- Null Pointer Dereference Denial of Service Vulnerability</topic>
     <affects>

Modified: head/sysutils/puppet/Makefile
==============================================================================
--- head/sysutils/puppet/Makefile	Fri Aug 16 17:14:16 2013	(r324807)
+++ head/sysutils/puppet/Makefile	Fri Aug 16 17:54:41 2013	(r324808)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	puppet
-PORTVERSION=	3.2.3
+PORTVERSION=	3.2.4
 CATEGORIES=	sysutils
 MASTER_SITES=	http://downloads.puppetlabs.com/puppet/
 

Modified: head/sysutils/puppet/distinfo
==============================================================================
--- head/sysutils/puppet/distinfo	Fri Aug 16 17:14:16 2013	(r324807)
+++ head/sysutils/puppet/distinfo	Fri Aug 16 17:54:41 2013	(r324808)
@@ -1,2 +1,2 @@
-SHA256 (puppet-3.2.3.tar.gz) = 6a19927d6126b9f6f40e94997c0896a618da8983178ca0e30264122b70edf819
-SIZE (puppet-3.2.3.tar.gz) = 1782059
+SHA256 (puppet-3.2.4.tar.gz) = 8b38f4adee6237b8dd7b1956d90af97f2d0091245d6e30b708bbc8e333001358
+SIZE (puppet-3.2.4.tar.gz) = 1786216

More information about the svn-ports-head mailing list