https://bugzilla.novell.com/show_bug.cgi?id=825878 https://bugzilla.novell.com/show_bug.cgi?id=825878#c0 Summary: Puppet CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: openSUSE 12.3 Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload. Reproducible: Always Steps to Reproduce: 1. 2. 3. http://puppetlabs.com/security/cve/cve-2013-3567/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.