Date: Fri, 16 Aug 2013 17:54:42 +0000 (UTC) From: Brad Davis <brd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r324808 - in head: security/vuxml sysutils/puppet Message-ID: <201308161754.r7GHsgSv086440@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brd (doc committer) Date: Fri Aug 16 17:54:41 2013 New Revision: 324808 URL: http://svnweb.freebsd.org/changeset/ports/324808 Log: - Update puppet to 3.2.4 which fixes CVE-2013-4761 and CVE-2013-4956 Approved by: swills@ Security: 2b2f6092-0694-11e3-9e8e-000c29f6ae42 Modified: head/security/vuxml/vuln.xml head/sysutils/puppet/Makefile head/sysutils/puppet/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Aug 16 17:14:16 2013 (r324807) +++ head/security/vuxml/vuln.xml Fri Aug 16 17:54:41 2013 (r324808) @@ -51,6 +51,43 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42"> + <topic>puppet -- multiple vulnerabilities</topic> + <affects> + <package> + <name>puppet</name> + <range><ge>2.7</ge><lt>2.7.23</lt></range> + <range><ge>3.0</ge><lt>3.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Puppet Labs reports:</p> + <blockquote cite="http://puppetlabs.com/security/cve/cve-2013-4761/"> + <p>By using the `resource_type` service, an attacker could + cause puppet to load arbitrary Ruby files from the puppet + master node's file system. While this behavior is not + enabled by default, `auth.conf` settings could be modified + to allow it. The exploit requires local file system access + to the Puppet Master.</p> + <p>Puppet Module Tool (PMT) did not correctly control + permissions of modules it installed, instead transferring + permissions that existed when the module was built.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-4761</cvename> + <cvename>CVE-2013-4956</cvename> + <url>http://puppetlabs.com/security/cve/cve-2013-4761/</url> + <url>http://puppetlabs.com/security/cve/cve-2013-4956/</url> + </references> + <dates> + <discovery>2013-07-05</discovery> + <entry>2013-08-16</entry> + </dates> + </vuln> + <vuln vid="9a0a892e-05d8-11e3-ba09-000c29784fd1"> <topic>lcms2 -- Null Pointer Dereference Denial of Service Vulnerability</topic> <affects> Modified: head/sysutils/puppet/Makefile ============================================================================== --- head/sysutils/puppet/Makefile Fri Aug 16 17:14:16 2013 (r324807) +++ head/sysutils/puppet/Makefile Fri Aug 16 17:54:41 2013 (r324808) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= puppet -PORTVERSION= 3.2.3 +PORTVERSION= 3.2.4 CATEGORIES= sysutils MASTER_SITES= http://downloads.puppetlabs.com/puppet/ Modified: head/sysutils/puppet/distinfo ============================================================================== --- head/sysutils/puppet/distinfo Fri Aug 16 17:14:16 2013 (r324807) +++ head/sysutils/puppet/distinfo Fri Aug 16 17:54:41 2013 (r324808) @@ -1,2 +1,2 @@ -SHA256 (puppet-3.2.3.tar.gz) = 6a19927d6126b9f6f40e94997c0896a618da8983178ca0e30264122b70edf819 -SIZE (puppet-3.2.3.tar.gz) = 1782059 +SHA256 (puppet-3.2.4.tar.gz) = 8b38f4adee6237b8dd7b1956d90af97f2d0091245d6e30b708bbc8e333001358 +SIZE (puppet-3.2.4.tar.gz) = 1786216
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308161754.r7GHsgSv086440>