openSUSE-SU-2011:1288-1: moderate: puppet

openSUSE Security Update: puppet ______________________________________________________________________________

Announcement ID: openSUSE-SU-2011:1288-1 Rating: moderate References: #721139 #726372 #727024 #727025 Cross-References: CVE-2011-3848 CVE-2011-3869 CVE-2011-3870 CVE-2011-3871 CVE-2011-3872 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________

An update that fixes 5 vulnerabilities is now available.

Description:

Puppet's certificate authority issued Puppet agent certificates capable of impersonating the Puppet master. Compromised or rogue puppet agents could therefore use their certificates for MITM attacks (CVE-2011-3872).

Note: If you've set the 'certdnsnames' option in your master's puppet.conf file merely installing the updated packages is not sufficient to fix this problem. You need to either pick a new DNS name for the master and reconfigure all agents to use it or re-new certificates on all agents.

Please refer to the documentation in /usr/share/doc/packages/puppet/puppetlabs-cve20113872-0.0.5 for detailed instructions and scripts.

Puppetlabs' site also provides more information: http://puppetlabs.com/security/cve/cve-2011-3872/faq/ http://puppetlabs.com/blog/important-security-announcement-a ltnames-vulnerability/

--

Directory traversal vulnerability in puppet allowed unauthenticated remote attackers to upload x.509 certificate signing requests to arbitrary locations (CVE-2011-3848)

Puppet was prone to several symlink attacks (CVE-2011-3870, CVE-2011-3869, CVE-2011-3871)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch puppet-5403

- openSUSE 11.3:

zypper in -t patch puppet-5403

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 11.4 (i586 x86_64):

puppet-2.6.4-4.11.1 puppet-server-2.6.4-4.11.1

- openSUSE 11.3 (i586 x86_64):

puppet-0.25.4-4.7.1 puppet-server-0.25.4-4.7.1

References:

http://support.novell.com/security/cve/CVE-2011-3848.html http://support.novell.com/security/cve/CVE-2011-3869.html http://support.novell.com/security/cve/CVE-2011-3870.html http://support.novell.com/security/cve/CVE-2011-3871.html http://support.novell.com/security/cve/CVE-2011-3872.html https://bugzilla.novell.com/721139 https://bugzilla.novell.com/726372 https://bugzilla.novell.com/727024 https://bugzilla.novell.com/727025