-
puppet (2.7.1-1ubuntu3.6~natty1) natty-backports; urgency=low
* Automated backport upload; no source changes.
puppet (2.7.1-1ubuntu3.6) oneiric-security; urgency=low
* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
appdmg and pkgdmg providers
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1988
* SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
filename
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1989
* debian/patches/fix-unpredictable-hash-ordering-tests.patch: Fix testsuite
failures caused by hash randomization in Ruby
-- Micah Gersten <email address hidden> Wed, 11 Apr 2012 21:08:54 +0000
-
puppet (2.7.1-1ubuntu3.5~natty1) natty-backports; urgency=low
* Automated backport upload; no source changes.
puppet (2.7.1-1ubuntu3.5) oneiric-security; urgency=low
* SECURITY UPDATE: correctly drop group privileges
- debian/patches/CVE-2012-1053_CVE-2012-1054.patch
- CVE-2012-1053
* SECURITY UPDATE: properly handle symlinks with Klogin
- debian/patches/CVE-2012-1053_CVE-2012-1054.patch
- CVE-2012-1054
puppet (2.7.1-1ubuntu3.4) oneiric-security; urgency=low
* SECURITY UPDATE: fix access to remote resource when auth.conf is
missing which was was reintroduced in 2.7.1-1ubuntu1.
- debian/patches/debian-changes: Pull out change that re-enabled
remote ralsh by default. It should be disabled.
- CVE-2011-0528
* debian/patches/fix-orderdependent-certificate-tests.patch: fix CA
certificate testsuite failures.
-- Micah Gersten <email address hidden> Fri, 09 Mar 2012 17:33:23 +0000
-
puppet (2.7.1-1ubuntu3.2~natty1) natty-backports; urgency=low
* Automated backport upload; no source changes.
puppet (2.7.1-1ubuntu3.2) oneiric-security; urgency=low
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
- debian/patches/CVE-2011-3872.patch: refactor certificate handling.
- Thanks to upstream for providing the patch.
- CVE-2011-3872
puppet (2.7.1-1ubuntu3) oneiric; urgency=low
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
open the file before writing to it as root
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
to drop privileges before creating the ssh directory and setting
permissions
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
use an unpredictable filename
- CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
- secure-indirector-file-backed-terminus-base-cla.patch: Since the
indirector file backed terminus base class is only used by the test
suite, remove it and update test cases to use a continuing class.
puppet (2.7.1-1ubuntu2) oneiric; urgency=low
* SECURITY UPDATE: unauthenticated directory traversal allows writing of
arbitrary files as puppet master
- debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
perform proper input validation.
- CVE-2011-3848
- LP: #861182
puppet (2.7.1-1ubuntu1) oneiric; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001)
- move all puppet dependencies to puppet-common since all the code
actually located in puppet-common.
- move libagueas from a recommend to a dependency.
puppet (2.7.1-1) UNRELEASED; urgency=low
* New upstream version
* Bump Standards-Version (no changes)
* Adjust debian/source/options to allow for a VCS-generated patch
* Tell adduser not to create /var/lib/puppet (Closes: #609896)
* Use dpkg-statoverride to handle permissions
* Allow the use of file-rc (Closes: #625638)
* Use the pkg-ruby-extras watch service
puppet (2.6.8-1ubuntu1) oneiric; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001)
- move all puppet dependencies to puppet-common since all the code
actually located in puppet-common.
- move libagueas from a recommend to a dependency.
puppet (2.6.8-1) unstable; urgency=low
* New upstream version
puppet (2.6.7-2) unstable; urgency=medium
* Fix puppetmaster-passenger.postinst to get proper
ssl configs (Closes: #620635)
* Fix maintainer scripts ignoring errors
puppet (2.6.7-1) unstable; urgency=low
* New upstream version
puppet (2.6.6-1) unstable; urgency=low
* New upstream release 2.6.6
puppet (2.6.6~rc1-1) experimental; urgency=low
* New upstream release candidate
puppet (2.6.5-1) unstable; urgency=low
* New upstream version (Closes: #612894)
* Remove renamed configuration files now handled by other packages (Closes: #564947, #611615)
-- Micah Gersten <email address hidden> Mon, 23 Jan 2012 12:08:53 +0000
-
puppet (2.6.4-2ubuntu2.10) natty-security; urgency=low
* SECURITY UPDATE: multiple July 2012 security issues
- debian/patches/2.6.4-Puppet-July-2012-CVE-fixes.patch: fix multiple
security issues. Patch from upstream, with an additional fix to
lib/puppet/reports/store.rb.
- CVE-2012-3864: arbitrary file read on master from authenticated
clients
- CVE-2012-3865: arbitrary file delete or denial of service on master
from authenticated clients
- CVE-2012-3867: insufficient input validation for agent cert hostnames
-- Marc Deslauriers <email address hidden> Tue, 10 Jul 2012 08:24:35 -0400
-
puppet (2.6.4-2ubuntu2.9) natty-security; urgency=low
* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
appdmg and pkgdmg providers
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1988
* debian/patches/fix-unpredictable-hash-ordering-tests.patch: Fix testsuite
failures caused by hash randomization in Ruby
-- Tyler Hicks <email address hidden> Tue, 10 Apr 2012 11:47:14 -0500
-
puppet (2.6.4-2ubuntu2.8) natty-security; urgency=low
* SECURITY UPDATE: correctly drop group privileges
- debian/patches/CVE-2012-1053_CVE-2012-1054.patch
- CVE-2012-1053
* SECURITY UPDATE: properly handle symlinks with Klogin
- debian/patches/CVE-2012-1053_CVE-2012-1054.patch
- CVE-2012-1054
-- Jamie Strandboge <email address hidden> Thu, 16 Feb 2012 13:15:07 -0600
-
puppet (2.6.4-2ubuntu2.7) natty-security; urgency=low
* SECURITY UPDATE: fix access to remote resource when auth.conf is
missing which was was reintroduced in 2.6.4-2ubuntu1.
- debian/patches/CVE-2011-0528.patch: Disable remote ralsh by default
- CVE-2011-0528
-- Jamie Strandboge <email address hidden> Fri, 10 Feb 2012 05:58:07 -0600
-
puppet (2.6.4-2ubuntu2.6) natty-security; urgency=low
* REGRESSION FIX (LP: #881361)
- debian/patches/CVE-2011-3872.patch: updated to fix regression with
"puppetca" command.
-- Marc Deslauriers <email address hidden> Tue, 25 Oct 2011 13:16:29 -0400
-
puppet (2.6.4-2ubuntu2.5) natty-security; urgency=low
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
- debian/patches/CVE-2011-3872.patch: refactor certificate handling.
- Thanks to upstream for providing the patch.
- CVE-2011-3872
-- Marc Deslauriers <email address hidden> Mon, 24 Oct 2011 15:06:51 -0400
-
puppet (2.6.4-2ubuntu2.3) natty-security; urgency=low
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
open the file before writing to it as root
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
to drop privileges before creating the ssh directory and setting
permissions
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
use an unpredictable filename
- CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
- secure-indirector-file-backed-terminus-base-cla.patch: Since the
indirector file backed terminus base class is only used by the test
suite, remove it and update test cases to use a continuing class.
-- Jamie Strandboge <email address hidden> Fri, 30 Sep 2011 08:50:31 -0500
-
puppet (2.6.4-2ubuntu2.2) natty-security; urgency=low
* SECURITY UPDATE: unauthenticated directory traversal allows writing of
arbitrary files as puppet master
- debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
perform proper input validation.
- CVE-2011-3848
- LP: #861182
* debian/patches/fix-rake-spec-missing-require.patch: allow 'rake spec'
to run again
-- Jamie Strandboge <email address hidden> Wed, 28 Sep 2011 08:26:38 -0500
-
puppet (2.6.4-2ubuntu2) natty; urgency=low
* debian/puppetmaster.default
- fix remains of automated merge (LP: #726856)
-- Andreas Moog <email address hidden> Tue, 01 Mar 2011 14:04:06 +0100
-
puppet (2.6.4-2ubuntu1) natty; urgency=low
* Merge from debian unstable. Remaining changes:
- debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001)
- move all puppet dependencies to puppet-common since all the code
actually located in puppet-common.
- move libagueas from a recommend to a dependency.
puppet (2.6.4-2) unstable; urgency=low
* Release for unstable
* Move puppetstoredconfigclean to puppetmaster-common, and set ruby1.8
as parser to match the rest of the puppet suite
puppet (2.6.4-1) experimental; urgency=low
[ Micah Anderson ]
* Make puppetqd honor flags from /etc/default/puppetqd (Closes: #605510)
* Remove the puppetqd PID file on stop (Closes: #605512)
* Add ext/puppetstoredconfigclean to puppetmaster:/usr/sbin
* Patch ext/logcheck/puppet to handle new puppet-master
Compiled log lines (Closes: #602336)
* Fix puppetqd initscript PID location
* Fix /etc/default/puppetmaster comments to match new section headings
* Fix puppetmaster/README.Debian to match new section headings
* Fix Should-Start init header in puppet initscript
[ Mathias Gug ]
* New upstream version.
[ Stig Sandbeck Mathisen ]
* debian/puppetmaster.logrotate: send SIGUSR2 on log rotation (Closes:
#602698)
* puppet-common: Add versioned dependency on sysv-rc
[ martin f krafft ]
* Use update-rc.d enable/disable in the "debian" provider in the
"service" type (Closes: #573551)
puppet (2.6.3-1) experimental; urgency=low
[ Mathias Gug ]
* New upstream version.
[ Stig Sandbeck Mathisen ]
* debian/control: Adjust dependencies for puppet-testsuite, depend on
puppet-common instead of puppet and puppetmaster
-- Chuck Short <email address hidden> Tue, 08 Feb 2011 00:28:43 +0000
-
puppet (2.6.3-0ubuntu1) natty; urgency=low
* New upstream version.
-- Mathias Gug <email address hidden> Wed, 17 Nov 2010 13:30:18 -0500
-
puppet (2.6.3~rc3-0ubuntu1) natty; urgency=low
* New upstream version
-- Mathias Gug <email address hidden> Fri, 12 Nov 2010 09:29:36 -0500
-
puppet (2.6.3~rc2-0ubuntu1) natty; urgency=low
* New upstream version
-- Mathias Gug <email address hidden> Tue, 09 Nov 2010 17:47:53 -0500
-
puppet (2.6.3~rc1-0ubuntu1) natty; urgency=low
* New upstream version
* debian/control:
- move all puppet dependencies to puppet-common since all the code is
actually located in puppet-common.
- move libaugeas from a recommend to a dependency.
-- Mathias Gug <email address hidden> Thu, 21 Oct 2010 12:52:13 -0400
-
puppet (2.6.1-0ubuntu2) maverick; urgency=low
* debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001).
-- Mathias Gug <email address hidden> Tue, 21 Sep 2010 13:53:10 -0400