Change log for puppet package in Ubuntu

76150 of 196 results
Superseded in saucy-proposed
puppet (3.2.4-2) unstable; urgency=low


  * Include patch from upstream to prevent duplicate nagios_ resources
    (Closes: #721132)
  * Add empty /usr/share/puppet/modules to puppet-common for puppet modules

 -- Stig Sandbeck Mathisen <email address hidden>  Sun, 01 Sep 2013 13:41:51 +0200

Available diffs

Superseded in precise-updates
Superseded in precise-security
puppet (2.7.11-1ubuntu2.4) precise-security; urgency=low

  * SECURITY UPDATE: August 2013 privilege escalation and code execution
    vulnerabilities
    - debian/patches/ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch:
      upstream patch to resolve security issues.
    - CVE-2013-4956
    - CVE-2013-4761
 -- Marc Deslauriers <email address hidden>   Wed, 14 Aug 2013 20:30:05 -0400
Superseded in raring-updates
Superseded in raring-security
puppet (2.7.18-4ubuntu1.2) raring-security; urgency=low

  * SECURITY UPDATE: August 2013 privilege escalation and code execution
    vulnerabilities
    - debian/patches/2.7.22-puppet-Aug-2013-CVE-fixes.patch: backport of
      upstream patch to resolve security issues.
    - CVE-2013-4956
    - CVE-2013-4761
 -- Marc Deslauriers <email address hidden>   Wed, 14 Aug 2013 07:59:11 -0400
Superseded in quantal-updates
Superseded in quantal-security
puppet (2.7.18-1ubuntu1.3) quantal-security; urgency=low

  * SECURITY UPDATE: August 2013 privilege escalation and code execution
    vulnerabilities
    - debian/patches/2.7.22-puppet-Aug-2013-CVE-fixes.patch: backport of
      upstream patch to resolve security issues.
    - CVE-2013-4956
    - CVE-2013-4761
 -- Marc Deslauriers <email address hidden>   Wed, 14 Aug 2013 08:06:26 -0400
Superseded in saucy-release
Deleted in saucy-proposed (Reason: moved to release)
puppet (3.2.3-1) unstable; urgency=low


  * Import upstream version 3.2.3
  * Do not use "dpkg-maintscript-helper" on non-conffiles
    (Closes: #713070)
  * Bump standards version (no changes)

 -- Stig Sandbeck Mathisen <email address hidden>  Fri, 02 Aug 2013 23:07:48 +0200

Available diffs

Superseded in saucy-release
Deleted in saucy-proposed (Reason: moved to release)
puppet (3.2.2-1) unstable; urgency=high


  * New upstream version (Closes: #712745, CVE-2013-3567)
    - use packaged ruby-safe-yaml instead of the vendored gem
  * Support apache 2.4 (Closes: #675409)
  * Remove dependency on rails (Closes: #709636)
  * Remove build dependency on ruby-rspec
  * add dep8 tests
  * puppetmaster-passenger.postinst: check if puppet.conf can be parsed on
    install.
    Thanks to Ubuntu

 -- Stig Sandbeck Mathisen <email address hidden>  Wed, 19 Jun 2013 11:45:46 +0200
Superseded in precise-updates
Superseded in precise-security
puppet (2.7.11-1ubuntu2.3) precise-security; urgency=low

  * SECURITY UPDATE: Remote code execution on master from unauthenticated
    clients
    - debian/patches/2.7.21-Patch-for-CVE-2013-3567.patch: upstream patch
      to use safe_yama.
    - CVE-2013-3567
 -- Marc Deslauriers <email address hidden>   Fri, 14 Jun 2013 09:06:22 -0400
Superseded in quantal-updates
Superseded in quantal-security
puppet (2.7.18-1ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: Remote code execution on master from unauthenticated
    clients
    - debian/patches/2.7.21-Patch-for-CVE-2013-3567.patch: backport of
      upstream patch to use safe_yama.
    - CVE-2013-3567
 -- Marc Deslauriers <email address hidden>   Fri, 14 Jun 2013 09:08:35 -0400
Superseded in raring-updates
Superseded in raring-security
puppet (2.7.18-4ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: Remote code execution on master from unauthenticated
    clients
    - debian/patches/2.7.21-Patch-for-CVE-2013-3567.patch: backport of
      upstream patch to use safe_yama.
    - CVE-2013-3567
 -- Marc Deslauriers <email address hidden>   Fri, 14 Jun 2013 09:00:45 -0400
Superseded in saucy-release
Deleted in saucy-proposed (Reason: moved to release)
puppet (3.1.1-1ubuntu1) saucy; urgency=low

  * Merge with Debian; remaining changes:
    - debian/puppetmaster-passenger.postinst: Make sure we error if puppet
      config print doesn't work
    - debian/puppetmaster-passenger.postinst: Ensure upgrades from
      <= 2.7.11-1 fixup passenger apache configuration.
    - Drop Build-Depends on ruby-rspec (in universe):
      + debian/control: remove ruby-rspec from Build-Depends

Superseded in saucy-release
Obsolete in raring-release
Deleted in raring-proposed (Reason: moved to release)
puppet (2.7.18-4ubuntu1) raring; urgency=low

  * Merge from Debian unstable. This merges the vim addon fix in 2.7.18-2
    (LP: #1163927). Remaining changes:
    - debian/puppetmaster-passenger.postinst: Make sure we error if puppet
      config print doesn't work
    - debian/puppetmaster-passenger.postinst: Ensure upgrades from
      <= 2.7.11-1 fixup passenger apache configuration.
    - Drop Build-Depends on ruby-rspec (in universe):
      + debian/control: remove ruby-rspec from Build-Depends
      + debian/patches/no-rspec.patch: make Rakefile work anyway if rspec
        isn't installed so we can use it in debian/rules.
  * Drop upstreamed patches:
    - debian/patches/security-mar-2013.patch
 -- Robie Basak <email address hidden>   Mon, 08 Apr 2013 15:03:25 +0100
Obsolete in lucid-backports
puppet (2.7.1-1ubuntu3.8~ubuntu10.04.1) lucid-backports; urgency=low

  * Backports upload, no source changes.
 -- Marc Deslauriers <email address hidden>   Wed, 13 Mar 2013 09:42:01 -0400
Superseded in raring-release
Deleted in raring-proposed (Reason: moved to release)
puppet (2.7.18-1ubuntu2) raring; urgency=low

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/security-mar-2013.patch: upstream patch to fix
      multiple security issues.
    - CVE-2013-1640 - Remote code execution on master from authenticated clients
    - CVE-2013-1652 - Insufficient input validation
    - CVE-2013-1653 - Remote code execution
    - CVE-2013-1654 - Protocol downgrade
    - CVE-2013-1655 - Unauthenticated remote code execution risk
    - CVE-2013-2275 - Incorrect default report ACL
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 11:16:08 -0400
Obsolete in oneiric-updates
Obsolete in oneiric-security
puppet (2.7.1-1ubuntu3.8) oneiric-security; urgency=low

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/security-mar-2013.patch: upstream patch to fix
      multiple security issues.
    - CVE-2013-1640 - Remote code execution on master from authenticated clients
    - CVE-2013-1652 - Insufficient input validation
    - CVE-2013-1653 - Remote code execution
    - CVE-2013-1654 - Protocol downgrade
    - CVE-2013-1655 - Unauthenticated remote code execution risk
    - CVE-2013-2275 - Incorrect default report ACL
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 12:49:11 -0400
Superseded in precise-updates
Superseded in precise-security
puppet (2.7.11-1ubuntu2.2) precise-security; urgency=low

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/security-mar-2013.patch: upstream patch to fix
      multiple security issues.
    - CVE-2013-1640 - Remote code execution on master from authenticated clients
    - CVE-2013-1652 - Insufficient input validation
    - CVE-2013-1653 - Remote code execution
    - CVE-2013-1654 - Protocol downgrade
    - CVE-2013-1655 - Unauthenticated remote code execution risk
    - CVE-2013-2275 - Incorrect default report ACL
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 12:32:11 -0400
Superseded in quantal-updates
Superseded in quantal-security
puppet (2.7.18-1ubuntu1.1) quantal-security; urgency=low

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/security-mar-2013.patch: upstream patch to fix
      multiple security issues.
    - CVE-2013-1640 - Remote code execution on master from authenticated clients
    - CVE-2013-1652 - Insufficient input validation
    - CVE-2013-1653 - Remote code execution
    - CVE-2013-1654 - Protocol downgrade
    - CVE-2013-1655 - Unauthenticated remote code execution risk
    - CVE-2013-2275 - Incorrect default report ACL
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 11:16:08 -0400
Superseded in raring-release
Obsolete in quantal-release
puppet (2.7.18-1ubuntu1) quantal; urgency=low

  * Resynchronise with Debian. (LP: #1023931) Remaining changes:
    - debian/puppetmaster-passenger.postinst: Make sure we error if puppet
      config print doesn't work
    - debian/puppetmaster-passenger.postinst: Ensure upgrades from
      <= 2.7.11-1 fixup passenger apache configuration.
  * Dropped upstreamed patches:
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - debian/patches/puppet-12844
    - debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch
  * Drop Build-Depends on ruby-rspec (in universe):
    - debian/control: remove ruby-rspec from Build-Depends
    - debian/patches/no-rspec.patch: make Rakefile work anyway if rspec
      isn't installed so we can use it in debian/rules.

Available diffs

Superseded in quantal-release
puppet (2.7.11-1ubuntu3) quantal; urgency=low

  * SECURITY UPDATE: Multiple July 2012 security issues
    - debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch: upstream
      patch to fix multiple security issues.
    - CVE-2012-3864: arbitrary file read on master from authenticated
      clients
    - CVE-2012-3865: arbitrary file delete or denial of service on master
      from authenticated clients
    - CVE-2012-3866: last_run_report.yaml report file is world readable and
      leads to arbitrary file read on master by an agent
    - CVE-2012-3867: insufficient input validation for agent cert hostnames
  * debian/control: use ruby1.8 as Build-Depends-Indep to fix FTBFS
 -- Marc Deslauriers <email address hidden>   Fri, 13 Jul 2012 12:45:14 -0400
Obsolete in lucid-updates
Obsolete in lucid-security
puppet (0.25.4-2ubuntu6.8) lucid-security; urgency=low

  * SECURITY UPDATE: multiple July 2012 security issues
    - Backported from upstream patch for 2.6.4.
    - CVE-2012-3864: arbitrary file read on master from authenticated
      clients
    - CVE-2012-3865: arbitrary file delete or denial of service on master
      from authenticated clients
    - CVE-2012-3867: insufficient input validation for agent cert hostnames
 -- Marc Deslauriers <email address hidden>   Thu, 12 Jul 2012 07:56:24 -0400
Obsolete in natty-updates
Obsolete in natty-security
puppet (2.6.4-2ubuntu2.10) natty-security; urgency=low

  * SECURITY UPDATE: multiple July 2012 security issues
    - debian/patches/2.6.4-Puppet-July-2012-CVE-fixes.patch: fix multiple
      security issues. Patch from upstream, with an additional fix to
      lib/puppet/reports/store.rb.
    - CVE-2012-3864: arbitrary file read on master from authenticated
      clients
    - CVE-2012-3865: arbitrary file delete or denial of service on master
      from authenticated clients
    - CVE-2012-3867: insufficient input validation for agent cert hostnames
 -- Marc Deslauriers <email address hidden>   Tue, 10 Jul 2012 08:24:35 -0400
Superseded in oneiric-updates
Superseded in oneiric-security
puppet (2.7.1-1ubuntu3.7) oneiric-security; urgency=low

  * SECURITY UPDATE: multiple July 2012 security issues
    - debian/patches/2.7.9-Puppet-July-2012-CVE-fixes.patch: fix multiple
      security issues with backported upstream 2.7.9 patch to 2.7.1.
    - CVE-2012-3864: arbitrary file read on master from authenticated
      clients
    - CVE-2012-3865: arbitrary file delete or denial of service on master
      from authenticated clients
    - CVE-2012-3866: last_run_report.yaml report file is world readable and
      leads to arbitrary file read on master by an agent
    - CVE-2012-3867: insufficient input validation for agent cert hostnames
 -- Marc Deslauriers <email address hidden>   Tue, 10 Jul 2012 08:17:46 -0400
Superseded in precise-updates
Superseded in precise-security
puppet (2.7.11-1ubuntu2.1) precise-security; urgency=low

  * SECURITY UPDATE: Multiple July 2012 security issues
    - debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch: upstream
      patch to fix multiple security issues.
    - CVE-2012-3864: arbitrary file read on master from authenticated
      clients
    - CVE-2012-3865: arbitrary file delete or denial of service on master
      from authenticated clients
    - CVE-2012-3866: last_run_report.yaml report file is world readable and
      leads to arbitrary file read on master by an agent
    - CVE-2012-3867: insufficient input validation for agent cert hostnames
 -- Marc Deslauriers <email address hidden>   Tue, 10 Jul 2012 07:58:03 -0400
Superseded in lucid-backports
puppet (2.7.1-1ubuntu3.6~lucid1) lucid-backports; urgency=low

  * Automated backport upload; no source changes.

Obsolete in natty-backports
puppet (2.7.1-1ubuntu3.6~natty1) natty-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in quantal-release
Published in precise-release
puppet (2.7.11-1ubuntu2) precise; urgency=low

  * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
    appdmg and pkgdmg providers (LP: #978708)
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1906
  * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1986
  * SECURITY UPDATE: Denial of service via Filebucket text/marshall support
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1987
  * SECURITY UPDATE: Arbitrary code execution via Filebucket requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1988
  * SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
    filename
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1989
  * debian/patches/puppet-12844: Re-fetch the patch from upstream since some
    missing pieces cause 'rake spec' to abort immediately
 -- Tyler Hicks <email address hidden>   Wed, 11 Apr 2012 03:55:10 -0500
Superseded in oneiric-updates
Superseded in oneiric-security
puppet (2.7.1-1ubuntu3.6) oneiric-security; urgency=low

  * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
    appdmg and pkgdmg providers
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1906
  * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1986
  * SECURITY UPDATE: Denial of service via Filebucket text/marshall support
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1987
  * SECURITY UPDATE: Arbitrary code execution via Filebucket requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1988
  * SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
    filename
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1989
  * debian/patches/fix-unpredictable-hash-ordering-tests.patch: Fix testsuite
    failures caused by hash randomization in Ruby
 -- Tyler Hicks <email address hidden>   Tue, 10 Apr 2012 11:47:14 -0500
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.9) natty-security; urgency=low

  * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
    appdmg and pkgdmg providers
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1906
  * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1986
  * SECURITY UPDATE: Denial of service via Filebucket text/marshall support
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1987
  * SECURITY UPDATE: Arbitrary code execution via Filebucket requests
    - debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
    - CVE-2012-1988
  * debian/patches/fix-unpredictable-hash-ordering-tests.patch: Fix testsuite
    failures caused by hash randomization in Ruby
 -- Tyler Hicks <email address hidden>   Tue, 10 Apr 2012 11:47:14 -0500
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.7) lucid-security; urgency=low

  * SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
    appdmg and pkgdmg providers
    - lib/puppet/provider/package/{appdmg.rb,pkgdmg.rb}: Use mktmpdir when
      downloading packages. Based on upstream patch.
    - CVE-2012-1906
  * SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
    - lib/puppet/network/http/api/v1.rb: Fix for bucket_path security
      vulnerability. Based on upstream patch.
    - CVE-2012-1986
  * SECURITY UPDATE: Denial of service via Filebucket text/marshall support
    - lib/puppet/network/formats.rb: Removed text/marshal support. Based on
      upstream patch.
    - CVE-2012-1987
  * SECURITY UPDATE: Arbitrary code execution via Filebucket requests
    - lib/puppet/network/http/api/v1.rb: Fix for bucket_path security
      vulnerability. Based on upstream patch.
    - CVE-2012-1988
  * spec/unit/property/keyvalue.rb: Fix testsuite failure caused by hash
    randomization in Ruby. Based on upstream patch.
    - 765036c707a29077107674ad5c6277df6e637b28
 -- Tyler Hicks <email address hidden>   Tue, 10 Apr 2012 11:47:14 -0500
Superseded in precise-release
puppet (2.7.11-1ubuntu1) precise; urgency=low

  [ Marc Cluet ]
  * debian/patches/puppet-12844: Cherry picked patch from upstream
    2.7.12 to revert new agent lockfile behaviour as it breaks upgrades
    from versions < 2.7.10.  This feature has been pushed out to
    puppet 3.x by upstream.
  * debian/puppetmaster-passenger.postinst (LP: #948983)
    - Fixed rack directory location
    - Added proper enabling of apache2 headers mod
  * debian/puppetmaster-passenger.postinst (LP: #950183)
    - Make sure we error if puppet config print doesn't work

  [ James Page ]
  * debian/puppetmaster-passenger.postinst:
    - Ensure upgrades from <= 2.7.11-1 fixup passenger apache
      configuration.
 -- Marc Cluet <email address hidden>   Fri, 16 Mar 2012 15:36:35 +0000
Superseded in lucid-backports
puppet (2.7.1-1ubuntu3.5~lucid1) lucid-backports; urgency=low

  * Automated backport upload; no source changes.

Obsolete in maverick-backports
puppet (2.7.1-1ubuntu3.5~maverick1) maverick-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in natty-backports
puppet (2.7.1-1ubuntu3.5~natty1) natty-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in precise-release
puppet (2.7.11-1) unstable; urgency=high


  * New upstream release
  * Urgency set to high due to regressions in previous release
    and security vulnerabilities
  * Execs when run with a user specified, but no group, get the root
    group. Similarly unexpected privileges are given to providers and
    types (egid remains as root), this is fixed with a patch from
    upstream (CVE-2012-1053)
  * Fix Klogin write through symlink (CVE-2012-1054)

 -- Micah Anderson <email address hidden>  Thu, 23 Feb 2012 18:24:48 -0500
Superseded in oneiric-updates
Superseded in oneiric-security
puppet (2.7.1-1ubuntu3.5) oneiric-security; urgency=low

  * SECURITY UPDATE: correctly drop group privileges
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1053
  * SECURITY UPDATE: properly handle symlinks with Klogin
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1054
 -- Jamie Strandboge <email address hidden>   Thu, 16 Feb 2012 13:06:11 -0600
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.8) natty-security; urgency=low

  * SECURITY UPDATE: correctly drop group privileges
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1053
  * SECURITY UPDATE: properly handle symlinks with Klogin
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1054
 -- Jamie Strandboge <email address hidden>   Thu, 16 Feb 2012 13:15:07 -0600
Obsolete in maverick-updates
Obsolete in maverick-security
puppet (2.6.1-0ubuntu2.6) maverick-security; urgency=low

  * SECURITY UPDATE: correctly drop group privileges
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1053
  * SECURITY UPDATE: properly handle symlinks with Klogin
    - debian/patches/CVE-2012-1053_CVE-2012-1054.patch
    - CVE-2012-1054
 -- Jamie Strandboge <email address hidden>   Thu, 16 Feb 2012 13:21:42 -0600
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.6) lucid-security; urgency=low

  * SECURITY UPDATE: correctly drop group privileges and properly handle
    symlinks with Klogin. Based on following upstream patches:
    - 7df0533f93f229de72694148da0ebfd9e1e831c9
    - 4ec03b81041c25428a32bc2b83d606ae381e0d53
    - f47dd4d3e0aaaa8ebd75b71ef02ce441df663f04
    - d702377a00988c3ca458fc48adbc63c4bfcf3164
    - ea10b0c487c343d6924951f2da522f3078093a98
    - CVE-2012-1053
    - CVE-2012-1054
  * debian/rules: update unit tests to remove tc_suidmanager.rb (part of fix
    for the above)
    - ed0bc14c54018691013fdf6eaa989bc5e49f1a66
 -- Jamie Strandboge <email address hidden>   Tue, 21 Feb 2012 10:36:05 -0600
Superseded in precise-release
puppet (2.7.10-1ubuntu1) precise; urgency=low

  * Use maintscript support in dh_installdeb rather than writing out
    dpkg-maintscript-helper commands by hand.  We now simply Pre-Depend on a
    new enough version of dpkg rather than using 'dpkg-maintscript-helper
    supports' guards, leading to more predictable behaviour on upgrades.
 -- Colin Watson <email address hidden>   Tue, 14 Feb 2012 11:08:59 +0000
Superseded in oneiric-updates
Superseded in oneiric-security
puppet (2.7.1-1ubuntu3.4) oneiric-security; urgency=low

  * SECURITY UPDATE: fix access to remote resource when auth.conf is
    missing which was was reintroduced in 2.7.1-1ubuntu1.
    - debian/patches/debian-changes: Pull out change that re-enabled
      remote ralsh by default. It should be disabled.
    - CVE-2011-0528
  * debian/patches/fix-orderdependent-certificate-tests.patch: fix CA
    certificate testsuite failures.
 -- Jamie Strandboge <email address hidden>   Mon, 13 Feb 2012 17:07:16 -0600
Superseded in precise-release
puppet (2.7.9-1ubuntu2) precise; urgency=low

  * Use maintscript support in dh_installdeb rather than writing out
    dpkg-maintscript-helper commands by hand.  We now simply Pre-Depend on a
    new enough version of dpkg rather than using 'dpkg-maintscript-helper
    supports' guards, leading to more predictable behaviour on upgrades.
 -- Colin Watson <email address hidden>   Sun, 12 Feb 2012 15:07:46 +0000

Available diffs

Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.7) natty-security; urgency=low

  * SECURITY UPDATE: fix access to remote resource when auth.conf is
    missing which was was reintroduced in 2.6.4-2ubuntu1.
    - debian/patches/CVE-2011-0528.patch: Disable remote ralsh by default
    - CVE-2011-0528
 -- Jamie Strandboge <email address hidden>   Fri, 10 Feb 2012 05:58:07 -0600
Superseded in maverick-updates
Superseded in maverick-security
puppet (2.6.1-0ubuntu2.5) maverick-security; urgency=low

  * SECURITY UPDATE: fix access to remote resource when auth.conf is
    missing
    - debian/patches/CVE-2011-0528.patch: Disable remote ralsh by default
    - CVE-2011-0528
 -- Jamie Strandboge <email address hidden>   Thu, 09 Feb 2012 22:08:43 -0600
Superseded in precise-release
puppet (2.7.10-1) unstable; urgency=low


  * New upstream release
  * Update breaks/replaces for puppetmaster-common (Closes: #656962)
  * Add systemd services for puppet agent and master

 -- Stig Sandbeck Mathisen <email address hidden>  Thu, 26 Jan 2012 11:27:00 +0100
Superseded in lucid-backports
puppet (2.7.1-1ubuntu3.2~lucid1) lucid-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in maverick-backports
puppet (2.7.1-1ubuntu3.2~maverick1) maverick-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in lucid-backports
puppet (2.7.1-1ubuntu3~lucid1) lucid-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in maverick-backports
puppet (2.7.1-1ubuntu3~maverick1) maverick-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in natty-backports
puppet (2.7.1-1ubuntu3.2~natty1) natty-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in precise-release
puppet (2.7.9-1ubuntu1) precise; urgency=low

  * Merge from Debian testing.  Remaining changes:
    + Add 2 patches to fix incompatibility with Augeas 0.10.0:
      - augeas_saved_files
      - augeas_versioncmp
    + Change Maintainer according to policy

Available diffs

Superseded in precise-release
puppet (2.7.6-1ubuntu1) precise; urgency=low

  * Add 2 patches to fix incompatibility with Augeas 0.10.0:
      - augeas_saved_files
      - augeas_versioncmp
  * Change Maintainer according to policy.
 -- Raphael Pinson <email address hidden>   Tue, 20 Dec 2011 01:19:12 +0100
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.6) natty-security; urgency=low

  * REGRESSION FIX (LP: #881361)
    - debian/patches/CVE-2011-3872.patch: updated to fix regression with
      "puppetca" command.
 -- Marc Deslauriers <email address hidden>   Tue, 25 Oct 2011 13:16:29 -0400
Superseded in precise-release
puppet (2.7.6-1) unstable; urgency=high


  * New upstream release (CVE-2011-3872)
  * Remove cherry-picked "groupadd_aix_warning" patch
  * Install all new manpages

 -- Stig Sandbeck Mathisen <email address hidden>  Sat, 22 Oct 2011 14:08:22 +0000
Superseded in oneiric-updates
Superseded in precise-release
Superseded in oneiric-security
puppet (2.7.1-1ubuntu3.2) oneiric-security; urgency=low

  * SECURITY UPDATE: puppet master impersonation via incorrect certificates
    - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
    - Thanks to upstream for providing the patch.
    - CVE-2011-3872
 -- Marc Deslauriers <email address hidden>   Mon, 24 Oct 2011 15:05:12 -0400
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.5) natty-security; urgency=low

  * SECURITY UPDATE: puppet master impersonation via incorrect certificates
    - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
    - Thanks to upstream for providing the patch.
    - CVE-2011-3872
 -- Marc Deslauriers <email address hidden>   Mon, 24 Oct 2011 15:06:51 -0400
Superseded in maverick-updates
Superseded in maverick-security
puppet (2.6.1-0ubuntu2.4) maverick-security; urgency=low

  * SECURITY UPDATE: puppet master impersonation via incorrect certificates
    - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
    - Thanks to upstream for providing the patch.
    - CVE-2011-3872
 -- Marc Deslauriers <email address hidden>   Mon, 24 Oct 2011 15:08:20 -0400
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.5) lucid-security; urgency=low

  * SECURITY UPDATE: puppet master impersonation via incorrect certificates
    - lib/puppet/{defaults,sslcertificates}.rb: disable certdnsnames
      setting and issue a warning if it is used.
    - Thanks to upstream for providing the patch.
    - CVE-2011-3872
 -- Marc Deslauriers <email address hidden>   Sun, 23 Oct 2011 10:01:02 -0400
Deleted in hardy-proposed (Reason: failed SRU verification)
puppet (0.24.4-3ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master. Patch thanks to Daniel Pittman from
    upstream puppet.
    - 5107c5a979d74d9da40a4cb8362f8ea3e7fb0dd5
    - CVE-2011-3848
    - LP: #861182
  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - adjust type/k5login.rb to securely open the file before writing to it as
      root. Patch thanks to Daniel Pittman from upstream puppet.
    - 17bf848bd1fa40fb56e6a83e2ac823e6cce60479
    - CVE-2011-3869
 -- Jamie Strandboge <email address hidden>   Wed, 05 Oct 2011 14:48:27 -0500
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.4) lucid-security; urgency=low

  * adjust ssh_authorized_key/parsed.rb: save backup file to filebucket before
    dropping privileges. Based on upstream commit:
    3f99bd71811be182f9217d727ec0ca7755eec68d
    - http://projects.puppetlabs.com/issues/4267
    - LP: #865462
 -- Jamie Strandboge <email address hidden>   Tue, 04 Oct 2011 07:54:33 -0500
Superseded in lucid-backports
puppet (2.6.1-0ubuntu2~lucid1) lucid-backports; urgency=low

  * Automated backport upload; no source changes.

Superseded in precise-release
Obsolete in oneiric-release
puppet (2.7.1-1ubuntu3) oneiric; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
      open the file before writing to it as root
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
      to drop privileges before creating the ssh directory and setting
      permissions
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
      use an unpredictable filename
    - CVE-2011-3871
  * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
    - secure-indirector-file-backed-terminus-base-cla.patch: Since the
      indirector file backed terminus base class is only used by the test
      suite, remove it and update test cases to use a continuing class.
 -- Jamie Strandboge <email address hidden>   Fri, 30 Sep 2011 08:29:40 -0500
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.3) lucid-security; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - adjust type/k5login.rb to securely open the file before writing to it as
      root. Patch from upstream: a4333c110ad084f205605708eaab52ad243d6c86
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - adjust ssh_authorized_key/parsed.rb to drop privileges before creating
      the ssh directory and setting permissions. Patches based on upstream:
      ce233aa2a511bf6818f28c226144ec5b05a468ee (required for security fix)
      e2c1cd5c957a236f89b9e8cb7b4e4f8769079e8c (security fix)
      8d9575775737c08c6cbfdf7f9a22f2ea4ab21b20 (backported rspec test case)
      0aae5a71a8e3b38cd8d7041f5c40091887c924a8 (fix test when run as root)
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - adjust application/resource.rb to use an unpredictable filename. Patch
      from upstream: 21b7192320dbb79a8cfe1fd3e06d0d399c964c0f
    - CVE-2011-3871
 -- Jamie Strandboge <email address hidden>   Fri, 30 Sep 2011 09:18:51 -0500
Superseded in maverick-updates
Superseded in maverick-security
puppet (2.6.1-0ubuntu2.2) maverick-security; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
      open the file before writing to it as root
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
      to drop privileges before creating the ssh directory and setting
      permissions
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
      use an unpredictable filename
    - CVE-2011-3871
  * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
    - secure-indirector-file-backed-terminus-base-cla.patch: Since the
      indirector file backed terminus base class is only used by the test
      suite, remove it and update test cases to use a continuing class.
 -- Jamie Strandboge <email address hidden>   Fri, 30 Sep 2011 09:04:20 -0500
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
      open the file before writing to it as root
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
      to drop privileges before creating the ssh directory and setting
      permissions
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
      use an unpredictable filename
    - CVE-2011-3871
  * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
    - secure-indirector-file-backed-terminus-base-cla.patch: Since the
      indirector file backed terminus base class is only used by the test
      suite, remove it and update test cases to use a continuing class.
 -- Jamie Strandboge <email address hidden>   Fri, 30 Sep 2011 08:50:31 -0500
Superseded in natty-updates
Superseded in natty-security
puppet (2.6.4-2ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
  * debian/patches/fix-rake-spec-missing-require.patch: allow 'rake spec'
    to run again
 -- Jamie Strandboge <email address hidden>   Wed, 28 Sep 2011 08:26:38 -0500
Superseded in oneiric-release
puppet (2.7.1-1ubuntu2) oneiric; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden>   Wed, 28 Sep 2011 07:55:44 -0500
Superseded in lucid-updates
Superseded in lucid-security
puppet (0.25.4-2ubuntu6.2) lucid-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master (LP: #861182)
    - update lib/puppet/indirector.rb, lib/puppet/indirector/ssl_file.rb,
      lib/puppet/indirector/yaml.rb, spec/unit/indirector/ssl_file.rb and
      spec/unit/indirector/yaml.rb to perform proper input validation.
      Patch from upstream (Daniel Pittman <email address hidden>)
      6e5a821cbf94b220dfc021ff7ebad0831c60e207
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden>   Wed, 28 Sep 2011 08:30:14 -0500
Superseded in maverick-updates
Superseded in maverick-security
puppet (2.6.1-0ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: unauthenticated directory traversal allows writing of
    arbitrary files as puppet master
    - debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
      lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
      spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
      perform proper input validation.
    - CVE-2011-3848
    - LP: #861182
 -- Jamie Strandboge <email address hidden>   Wed, 28 Sep 2011 08:28:21 -0500
Superseded in oneiric-release
puppet (2.7.1-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
      set the location of the CRL in apache2 configuration. Fix apache2
      configuration on upgrade as well (LP: #641001)
    - move all puppet dependencies to puppet-common since all the code
      actually located in puppet-common.
    - move libagueas from a recommend to a dependency.

Available diffs

Superseded in oneiric-release
puppet (2.6.8-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
      set the location of the CRL in apache2 configuration. Fix apache2
      configuration on upgrade as well (LP: #641001)
    - move all puppet dependencies to puppet-common since all the code
      actually located in puppet-common.
    - move libagueas from a recommend to a dependency.

Available diffs

Superseded in lucid-updates
Deleted in lucid-proposed (Reason: moved to -updates)
puppet (0.25.4-2ubuntu6.1) lucid-proposed; urgency=low

  * Work around a bug in Ruby that causes meaningful error messages to be
    hidden by a ruby error message (cf.
    http://projects.puppetlabs.com/issues/3101). Fixes LP: #700945.
 -- Oliver Brakmann <email address hidden>   Tue, 05 Apr 2011 11:16:02 -0700
Superseded in oneiric-release
Obsolete in natty-release
puppet (2.6.4-2ubuntu2) natty; urgency=low

  * debian/puppetmaster.default
    - fix remains of automated merge (LP: #726856)
 -- Andreas Moog <email address hidden>   Tue, 01 Mar 2011 14:04:06 +0100

Available diffs

Superseded in natty-release
puppet (2.6.4-2ubuntu1) natty; urgency=low

  * Merge from debian unstable.  Remaining changes:
    - debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
      set the location of the CRL in apache2 configuration. Fix apache2
      configuration on upgrade as well (LP: #641001)
    - move all puppet dependencies to puppet-common since all the code
      actually located in puppet-common.
    - move libagueas from a recommend to a dependency.

Available diffs

Superseded in natty-release
puppet (2.6.3-0ubuntu1) natty; urgency=low

  * New upstream version.
 -- Mathias Gug <email address hidden>   Wed, 17 Nov 2010 13:30:18 -0500
Superseded in natty-release
puppet (2.6.3~rc3-0ubuntu1) natty; urgency=low

  * New upstream version
 -- Mathias Gug <email address hidden>   Fri, 12 Nov 2010 09:29:36 -0500
Superseded in natty-release
puppet (2.6.3~rc2-0ubuntu1) natty; urgency=low

  * New upstream version
 -- Mathias Gug <email address hidden>   Tue, 09 Nov 2010 17:47:53 -0500
76150 of 196 results