Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.702761
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 2761-1 (puppet - several vulnerabilities)
Summary:Several vulnerabilities were discovered in puppet, a centralized;configuration management system. The Common Vulnerabilities and;Exposures project identifies the following problems:;;CVE-2013-4761The resource_type;service (disabled by default) could be used to;make puppet load arbitrary Ruby code from puppet master's file;system.;;CVE-2013-4956;Modules installed with the Puppet Module Tool might be installed;with weak permissions, possibly allowing local users to read or;modify them.;;The stable distribution (wheezy) has been updated to version 2.7.33 of;puppet. This version includes the patches for all the previous DSAs;related to puppet in wheezy. In this version, the puppet report format;is now correctly reported as version 3.;;It is to be expected that future DSAs for puppet update to a newer,;bug fix-only, release of the 2.7 branch.;;The oldstable distribution (squeeze) has not been updated for this;advisory: as of this time there is no fix for;CVE-2013-4761 and the package is not affected by;CVE-2013-4956;.
Description:Summary:
Several vulnerabilities were discovered in puppet, a centralized
configuration management system. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2013-4761The resource_type
service (disabled by default) could be used to
make puppet load arbitrary Ruby code from puppet master's file
system.

CVE-2013-4956
Modules installed with the Puppet Module Tool might be installed
with weak permissions, possibly allowing local users to read or
modify them.

The stable distribution (wheezy) has been updated to version 2.7.33 of
puppet. This version includes the patches for all the previous DSAs
related to puppet in wheezy. In this version, the puppet report format
is now correctly reported as version 3.

It is to be expected that future DSAs for puppet update to a newer,
bug fix-only, release of the 2.7 branch.

The oldstable distribution (squeeze) has not been updated for this
advisory: as of this time there is no fix for
CVE-2013-4761 and the package is not affected by
CVE-2013-4956
.

Affected Software/OS:
puppet on Debian Linux

Solution:
For the stable distribution (wheezy), these problems have been fixed in
version 2.7.23-1~
deb7u1.

For the testing distribution (jessie) and the unstable distribution (sid),
these problems have been fixed in version 3.2.4-1.

We recommend that you upgrade your puppet packages.

CVSS Score:
5.1

CVSS Vector:
AV:N/AC:H/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-4956
Debian Security Information: DSA-2761 (Google Search)
http://www.debian.org/security/2013/dsa-2761
RedHat Security Advisories: RHSA-2013:1283
http://rhn.redhat.com/errata/RHSA-2013-1283.html
RedHat Security Advisories: RHSA-2013:1284
http://rhn.redhat.com/errata/RHSA-2013-1284.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-4761
SuSE Security Announcement: SUSE-SU-2014:0155 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html
CopyrightCopyright (C) 2013 Greenbone Networks GmbH http://greenbone.net

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.