openSUSE Security Update: puppet ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:1288-1 Rating: moderate References: #721139 #726372 #727024 #727025 Cross-References: CVE-2011-3848 CVE-2011-3869 CVE-2011-3870 CVE-2011-3871 CVE-2011-3872 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: Puppet's certificate authority issued Puppet agent certificates capable of impersonating the Puppet master. Compromised or rogue puppet agents could therefore use their certificates for MITM attacks (CVE-2011-3872). Note: If you've set the 'certdnsnames' option in your master's puppet.conf file merely installing the updated packages is not sufficient to fix this problem. You need to either pick a new DNS name for the master and reconfigure all agents to use it or re-new certificates on all agents. Please refer to the documentation in /usr/share/doc/packages/puppet/puppetlabs-cve20113872-0.0.5 for detailed instructions and scripts. Puppetlabs' site also provides more information: http://puppetlabs.com/security/cve/cve-2011-3872/faq/ http://puppetlabs.com/blog/important-security-announcement-a ltnames-vulnerability/ -- Directory traversal vulnerability in puppet allowed unauthenticated remote attackers to upload x.509 certificate signing requests to arbitrary locations (CVE-2011-3848) Puppet was prone to several symlink attacks (CVE-2011-3870, CVE-2011-3869, CVE-2011-3871) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch puppet-5403 - openSUSE 11.3: zypper in -t patch puppet-5403 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): puppet-2.6.4-4.11.1 puppet-server-2.6.4-4.11.1 - openSUSE 11.3 (i586 x86_64): puppet-0.25.4-4.7.1 puppet-server-0.25.4-4.7.1 References: http://support.novell.com/security/cve/CVE-2011-3848.html http://support.novell.com/security/cve/CVE-2011-3869.html http://support.novell.com/security/cve/CVE-2011-3870.html http://support.novell.com/security/cve/CVE-2011-3871.html http://support.novell.com/security/cve/CVE-2011-3872.html https://bugzilla.novell.com/721139 https://bugzilla.novell.com/726372 https://bugzilla.novell.com/727024 https://bugzilla.novell.com/727025