USN-917-1: Puppet vulnerabilities

03-24-2010

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

USN-917-1: Puppet vulnerabilities

Referenced CVEs:
CVE-2009-3564, CVE-2010-0156

Description:
=========================================================== Ubuntu Security Notice USN-917-1 March 24, 2010 puppet vulnerabilities CVE-2009-3564, CVE-2010-0156 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: puppet 0.24.8-2ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Puppet did not drop supplementary groups when being run as a different user. A local user may be able to use this flaw to bypass security restrictions and gain access to restricted files. (CVE-2009-3564) It was discovered that Puppet did not correctly handle temporary files. A local user can exploit this flaw to bypass security restrictions and overwrite arbitrary files. (CVE-2010-0156)

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

PUPPET-SECRET_AGENT(8) Puppet manual PUPPET-SECRET_AGENT(8) NAME
puppet-secret_agent - Mimics puppet agent. SYNOPSIS
puppet secret_agent action DESCRIPTION
This subcommand currently functions as a proof of concept, demonstrating how the Faces API exposes Puppet's internal systems to application logic; compare the actual code for puppet agent. It will eventually replace puppet agent entirely, and can provide a template for users who wish to implement agent-like functionality with non-standard application logic. OPTIONS
Note that any configuration parameter that's valid in the configuration file is also a valid long argument, although it may or may not be relevant to the present action. For example, server is a valid configuration parameter, so you can specify --server <servername> as an argument. See the configuration file documentation at http://docs.puppetlabs.com/references/stable/configuration.html for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet with --genconfig. --mode MODE The run mode to use for the current action. Valid modes are user, agent, and master. --render-as FORMAT The format in which to render output. The most common formats are json, s (string), yaml, and console, but other options such as dot are sometimes available. --verbose Whether to log verbosely. --debug Whether to log debug information. ACTIONS
synchronize - Run secret_agent once. SYNOPSIS puppet secret_agent DESCRIPTION Mimics a single run of puppet agent. This action does not currently daemonize, but can download plugins, submit facts, retrieve and apply a catalog, and submit a report to the puppet master. RETURNS Verbose logging from the completed run. When used from the Ruby API: returns a Puppet::Transaction::Report object. NOTES This action requires that the puppet master's auth.conf file allow save access to the facts REST terminus. Puppet agent does not use this facility, and it is turned off by default. See http://docs.puppetlabs.com/guides/rest_auth_conf.html for more details. EXAMPLES
synchronize Trigger a Puppet run with the configured puppet master: $ puppet secret_agent COPYRIGHT AND LICENSE
Copyright 2011 by Puppet Labs Apache 2 license; see COPYING Puppet Labs, LLC June 2012 PUPPET-SECRET_AGENT(8)

Security Advisories (RSS)

USN-917-1: Puppet vulnerabilities

LEARN ABOUT DEBIAN

puppet-secret_agent