-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0381
                          puppet security update
                               13 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           puppet
Publisher:         Debian
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Debian GNU/Linux 6
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Reduced Security                -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2275 CVE-2013-2274 CVE-2013-1655
                   CVE-2013-1654 CVE-2013-1653 CVE-2013-1652
                   CVE-2013-1640  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2643

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running puppet check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2643-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
March 12, 2013                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : puppet
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654
                 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275
Debian Bug     :

Multiple vulnerabilities were discovered in Puppet, a centralized
configuration management system.

CVE-2013-1640

    An authenticated malicious client may request its catalog from the puppet
    master, and cause the puppet master to execute arbitrary code. The puppet
    master must be made to invoke the `template` or `inline_template` functions
    during catalog compilation.

CVE-2013-1652

    An authenticated malicious client may retrieve catalogs from the puppet
    master that it is not authorized to access. Given a valid certificate and
    private key, it is possible to construct an HTTP GET request that will
    return a catalog for an arbitrary client.

CVE-2013-1653

    An authenticated malicious client may execute arbitrary code on Puppet
    agents that accept kick connections. Puppet agents are not vulnerable in
    their default configuration. However, if the Puppet agent is configured to
    listen for incoming connections, e.g. listen = true, and the agent's
    auth.conf allows access to the `run` REST endpoint, then an authenticated
    client can construct an HTTP PUT request to execute arbitrary code on the
    agent. This issue is made worse by the fact that puppet agents typically
    run as root.

CVE-2013-1654

    A bug in Puppet allows SSL connections to be downgraded to SSLv2, which is
    known to contain design flaw weaknesses This affects SSL connections
    between puppet agents and master, as well as connections that puppet agents
    make to third party servers that accept SSLv2 connections. Note that SSLv2
    is disabled since OpenSSL 1.0.

CVE-2013-1655

    An unauthenticated malicious client may send requests to the puppet master,
    and have the master load code in an unsafe manner. It only affects users
    whose puppet masters are running ruby 1.9.3 and above.

CVE-2013-2274

    An authenticated malicious client may execute arbitrary code on the
    puppet master in its default configuration. Given a valid certificate and
    private key, a client can construct an HTTP PUT request that is authorized
    to save the client's own report, but the request will actually cause the
    puppet master to execute arbitrary code.

CVE-2013-2275

    The default auth.conf allows an authenticated node to submit a report for
    any other node, which is a problem for compliance. It has been made more
    restrictive by default so that a node is only allowed to save its own
    report.

For the stable distribution (squeeze), these problems have been fixed in
version 2.6.2-5+squeeze7.

For the testing distribution (wheezy), these problems have been fixed in
version 2.7.18-3.

For the unstable distribution (sid), these problems have been fixed in
version 2.7.18-3.

We recommend that you upgrade your puppet packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRP7CzAAoJEG3bU/KmdcClzGIIAI90dF51SNHLGAIImu6vXJd2
4PII5l3AeAyL8f7HQWqVgFYrockwsCazs/vgqPdwfDEAnon2C/I4FvpehJo5hd5y
dFH01a7KYEvgG1okfiuDk+Pe3AEQsJSbBSyhA/Yw4Uix4wk508TWjvUAUMjRnUn5
yO0dB3b3hj4xgESmKtlXbHpjeQaaVOh5emXLuaV5V9mxCCN0fedIqjKxWd4vN4E9
l7hin1DzuxwkwoKeCGDOjKcSShpHAvwspTsUFZMhcU33Mu2an5j0QgPBhiQthJ1r
5uNeOYyYq+DVD0wjO++Lo2KwUayQUOriL+6y1BUvheyc/o+408/jppJ1JLjIWyg=
=Z1A4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUT/zae4yVqjM2NGpAQJQeg/9ERWbVRBMU5hfnDY4ONAfDVF/SRElXnia
iNY+VZp/iBROvPv3aLk8CaNdHLbtOT11KbbhmdpETwjU9VpHVu1Cyb9c7Ysa26wJ
fkj2Xkg6bdVUUspL6euJEpUWTdpLRayvKuUVCLVsDWumO4QNMIIvCuqs/Rj1IfWc
l2tbhRnK1+59/w1c4f+9gXSw8x6KJoREV40p/oJl/8as2Fhr4vqiNNDGEwGfPBak
wfjOZE7ZHC2iOfIntCJZCWA01afgySIeLXkFURxOlBFv4MMiCrmtLrMUF6jmTxlM
RC5TFjYJiSWVdQwYq45aloIo4nnCIMD5UV+Ey5Roi3XSJyqOBfdYzXFhgZ+Lo6t0
I4z1DBSM+mVCcp1NT2MLAPzlQC767E55/fponqPc0qNFUFxuXcpxWG9ETUXDAlfz
0HzGmvaoLgwrLXOoTh2t4r0iSarARabB6qb9A15a9wsL/YZ9E2BYPqaQdKY5NKX2
dlfBtTAzUHdzFY/H4+hFeG7UF72jCwL0FEFiv/vMLm92Aq41MXAyG2QgyAsdLWs5
t7KF/maOhxqT9Jl6r4ozvPwlZAr8DpokDiMyDKemnyRE+YkQHid4BbEFKUZhYFpy
C6/3HKBT413kvfUIg74di2ybgZiqiVsBHMMnf2cB3HPaoX2DcAk9RPu5qSt0dMId
lcFOSrcYuV4=
=kuC7
-----END PGP SIGNATURE-----