“puppet” 2.7.1-1ubuntu3 source package in The Oneiric Ocelot

Publishing history

PUBLISHED: Oneiric pocket Release in component main and section admin
  • Published on 2011-10-01



puppet (2.7.1-1ubuntu3) oneiric; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
      open the file before writing to it as root
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
      to drop privileges before creating the ssh directory and setting
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
      use an unpredictable filename
    - CVE-2011-3871
  * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
    - secure-indirector-file-backed-terminus-base-cla.patch: Since the
      indirector file backed terminus base class is only used by the test
      suite, remove it and update test cases to use a continuing class.
 -- Jamie Strandboge <email address hidden>   Fri, 30 Sep 2011 08:29:40 -0500