-
puppet (2.7.11-1ubuntu2.7) precise-security; urgency=low
* SECURITY REGRESSION: Incorrect default file mode (LP: #1267385)
- debian/patches/CVE-2013-4969-regression.patch: fix incorrect file
mode in lib/puppet/type/file.rb, lib/puppet/util.rb,
spec/unit/type/file_spec.rb.
- CVE-2013-4969
-- Marc Deslauriers <email address hidden> Thu, 09 Jan 2014 07:56:00 -0500
-
puppet (2.7.11-1ubuntu2.6) precise-security; urgency=low
* SECURITY UPDATE: unsafe use of temp files
- debian/patches/update-replace_file.patch: updated replace_file to
enable Windows support so security patch applies better.
- debian/patches/CVE-2013-4969-2.7.x-temp-file.patch: Use replace_file
to update a file's contents in lib/puppet/type/file.rb,
lib/puppet/util.rb, updated tests in
spec/integration/type/file_spec.rb, spec/unit/type/file_spec.rb.
- CVE-2013-4969
-- Marc Deslauriers <email address hidden> Mon, 23 Dec 2013 08:27:21 -0500
-
puppet (2.7.11-1ubuntu2.5) precise-proposed; urgency=low
* debian/patches/2.7.11-remove-process_name-performance.patch:
Fixes performance regression caused by a thread that loops forever in
order to change a process name when told so (LP: #995719)
-- Adam Stokes <email address hidden> Tue, 24 Sep 2013 14:58:14 -0400
-
puppet (2.7.11-1ubuntu2.4) precise-security; urgency=low
* SECURITY UPDATE: August 2013 privilege escalation and code execution
vulnerabilities
- debian/patches/ubuntu-2.7.11-puppet-Aug-2013-CVE-fixes.patch:
upstream patch to resolve security issues.
- CVE-2013-4956
- CVE-2013-4761
-- Marc Deslauriers <email address hidden> Wed, 14 Aug 2013 20:30:05 -0400
-
puppet (2.7.11-1ubuntu2.3) precise-security; urgency=low
* SECURITY UPDATE: Remote code execution on master from unauthenticated
clients
- debian/patches/2.7.21-Patch-for-CVE-2013-3567.patch: upstream patch
to use safe_yama.
- CVE-2013-3567
-- Marc Deslauriers <email address hidden> Fri, 14 Jun 2013 09:06:22 -0400
-
puppet (2.7.11-1ubuntu2.2) precise-security; urgency=low
* SECURITY UPDATE: Multiple security issues
- debian/patches/security-mar-2013.patch: upstream patch to fix
multiple security issues.
- CVE-2013-1640 - Remote code execution on master from authenticated clients
- CVE-2013-1652 - Insufficient input validation
- CVE-2013-1653 - Remote code execution
- CVE-2013-1654 - Protocol downgrade
- CVE-2013-1655 - Unauthenticated remote code execution risk
- CVE-2013-2275 - Incorrect default report ACL
-- Marc Deslauriers <email address hidden> Mon, 11 Mar 2013 12:32:11 -0400
-
puppet (2.7.11-1ubuntu2.1) precise-security; urgency=low
* SECURITY UPDATE: Multiple July 2012 security issues
- debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch: upstream
patch to fix multiple security issues.
- CVE-2012-3864: arbitrary file read on master from authenticated
clients
- CVE-2012-3865: arbitrary file delete or denial of service on master
from authenticated clients
- CVE-2012-3866: last_run_report.yaml report file is world readable and
leads to arbitrary file read on master by an agent
- CVE-2012-3867: insufficient input validation for agent cert hostnames
-- Marc Deslauriers <email address hidden> Tue, 10 Jul 2012 07:58:03 -0400
-
puppet (2.7.11-1ubuntu2) precise; urgency=low
* SECURITY UPDATE: Arbitrary file writes via predictable filename usage in
appdmg and pkgdmg providers (LP: #978708)
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1906
* SECURITY UPDATE: Arbitrary file reads via Filebucket REST requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1986
* SECURITY UPDATE: Denial of service via Filebucket text/marshall support
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1987
* SECURITY UPDATE: Arbitrary code execution via Filebucket requests
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1988
* SECURITY UPDATE: Arbritrary file writes via predictable telnet output log
filename
- debian/patches/CVE-2012-1906_CVE-2012-1986_to_CVE-2012-1989.patch
- CVE-2012-1989
* debian/patches/puppet-12844: Re-fetch the patch from upstream since some
missing pieces cause 'rake spec' to abort immediately
-- Tyler Hicks <email address hidden> Wed, 11 Apr 2012 03:55:10 -0500
-
puppet (2.7.11-1ubuntu1) precise; urgency=low
[ Marc Cluet ]
* debian/patches/puppet-12844: Cherry picked patch from upstream
2.7.12 to revert new agent lockfile behaviour as it breaks upgrades
from versions < 2.7.10. This feature has been pushed out to
puppet 3.x by upstream.
* debian/puppetmaster-passenger.postinst (LP: #948983)
- Fixed rack directory location
- Added proper enabling of apache2 headers mod
* debian/puppetmaster-passenger.postinst (LP: #950183)
- Make sure we error if puppet config print doesn't work
[ James Page ]
* debian/puppetmaster-passenger.postinst:
- Ensure upgrades from <= 2.7.11-1 fixup passenger apache
configuration.
-- Marc Cluet <email address hidden> Fri, 16 Mar 2012 15:36:35 +0000
-
puppet (2.7.11-1) unstable; urgency=high
* New upstream release
* Urgency set to high due to regressions in previous release
and security vulnerabilities
* Execs when run with a user specified, but no group, get the root
group. Similarly unexpected privileges are given to providers and
types (egid remains as root), this is fixed with a patch from
upstream (CVE-2012-1053)
* Fix Klogin write through symlink (CVE-2012-1054)
-- Micah Anderson <email address hidden> Thu, 23 Feb 2012 18:24:48 -0500
-
puppet (2.7.10-1ubuntu1) precise; urgency=low
* Use maintscript support in dh_installdeb rather than writing out
dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a
new enough version of dpkg rather than using 'dpkg-maintscript-helper
supports' guards, leading to more predictable behaviour on upgrades.
-- Colin Watson <email address hidden> Tue, 14 Feb 2012 11:08:59 +0000
-
puppet (2.7.10-1) unstable; urgency=low
* New upstream release
* Update breaks/replaces for puppetmaster-common (Closes: #656962)
* Add systemd services for puppet agent and master
-- Stig Sandbeck Mathisen <email address hidden> Thu, 26 Jan 2012 11:27:00 +0100
-
puppet (2.7.9-1ubuntu2) precise; urgency=low
* Use maintscript support in dh_installdeb rather than writing out
dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a
new enough version of dpkg rather than using 'dpkg-maintscript-helper
supports' guards, leading to more predictable behaviour on upgrades.
-- Colin Watson <email address hidden> Sun, 12 Feb 2012 15:07:46 +0000
-
puppet (2.7.9-1ubuntu1) precise; urgency=low
* Merge from Debian testing. Remaining changes:
+ Add 2 patches to fix incompatibility with Augeas 0.10.0:
- augeas_saved_files
- augeas_versioncmp
+ Change Maintainer according to policy
puppet (2.7.9-1) unstable; urgency=low
* New upstream release
puppet (2.7.8-1) unstable; urgency=low
* New upstream release
* Update dependencies for renamed ruby packages
* puppet-testsuite: Depend on ruby-sqlite3
-- Chuck Short <email address hidden> Wed, 21 Dec 2011 07:00:18 +0000
-
puppet (2.7.6-1ubuntu1) precise; urgency=low
* Add 2 patches to fix incompatibility with Augeas 0.10.0:
- augeas_saved_files
- augeas_versioncmp
* Change Maintainer according to policy.
-- Raphael Pinson <email address hidden> Tue, 20 Dec 2011 01:19:12 +0100
-
puppet (2.7.6-1) unstable; urgency=high
* New upstream release (CVE-2011-3872)
* Remove cherry-picked "groupadd_aix_warning" patch
* Install all new manpages
-- Stig Sandbeck Mathisen <email address hidden> Sat, 22 Oct 2011 14:08:22 +0000
-
puppet (2.7.1-1ubuntu3.2) oneiric-security; urgency=low
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
- debian/patches/CVE-2011-3872.patch: refactor certificate handling.
- Thanks to upstream for providing the patch.
- CVE-2011-3872
-- Marc Deslauriers <email address hidden> Mon, 24 Oct 2011 15:05:12 -0400
-
puppet (2.7.1-1ubuntu3) oneiric; urgency=low
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
open the file before writing to it as root
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
to drop privileges before creating the ssh directory and setting
permissions
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
use an unpredictable filename
- CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
- secure-indirector-file-backed-terminus-base-cla.patch: Since the
indirector file backed terminus base class is only used by the test
suite, remove it and update test cases to use a continuing class.
-- Jamie Strandboge <email address hidden> Fri, 30 Sep 2011 08:29:40 -0500
