[ubuntu/natty-security] puppet 2.6.4-2ubuntu2.3 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Sep 30 23:03:19 UTC 2011


puppet (2.6.4-2ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: k5login can overwrite arbitrary files as root
    - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
      open the file before writing to it as root
    - CVE-2011-3869
  * SECURITY UPDATE: didn't drop privileges before creating and changing
    permissions on SSH keys
    - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
      to drop privileges before creating the ssh directory and setting
      permissions
    - CVE-2011-3870
  * SECURITY UPDATE: fix predictable temporary filename in ralsh
    - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
      use an unpredictable filename
    - CVE-2011-3871
  * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
    - secure-indirector-file-backed-terminus-base-cla.patch: Since the
      indirector file backed terminus base class is only used by the test
      suite, remove it and update test cases to use a continuing class.

Date: Fri, 30 Sep 2011 08:50:31 -0500
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/natty/+source/puppet/2.6.4-2ubuntu2.3
-------------- next part --------------
Format: 1.8
Date: Fri, 30 Sep 2011 08:50:31 -0500
Source: puppet
Binary: puppet-common puppet puppetmaster-common puppetmaster puppetmaster-passenger vim-puppet puppet-el puppet-testsuite
Architecture: source
Version: 2.6.4-2ubuntu2.3
Distribution: natty-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Jamie Strandboge <jamie at ubuntu.com>
Description: 
 puppet     - Centralized configuration management - agent startup and compatib
 puppet-common - Centralized configuration management
 puppet-el  - syntax highlighting for puppet manifests in emacs
 puppet-testsuite - Centralized configuration management - test suite
 puppetmaster - Centralized configuration management - master startup and compati
 puppetmaster-common - Puppet master common scripts
 puppetmaster-passenger - Centralised configuration management - master setup to run under
 vim-puppet - syntax highlighting for puppet manifests in vim
Changes: 
 puppet (2.6.4-2ubuntu2.3) natty-security; urgency=low
 .
   * SECURITY UPDATE: k5login can overwrite arbitrary files as root
     - debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
       open the file before writing to it as root
     - CVE-2011-3869
   * SECURITY UPDATE: didn't drop privileges before creating and changing
     permissions on SSH keys
     - debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
       to drop privileges before creating the ssh directory and setting
       permissions
     - CVE-2011-3870
   * SECURITY UPDATE: fix predictable temporary filename in ralsh
     - debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
       use an unpredictable filename
     - CVE-2011-3871
   * SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
     - secure-indirector-file-backed-terminus-base-cla.patch: Since the
       indirector file backed terminus base class is only used by the test
       suite, remove it and update test cases to use a continuing class.
Checksums-Sha1: 
 cdbc743caa886acfc43d3145c0e2aa13d4a32b2d 2296 puppet_2.6.4-2ubuntu2.3.dsc
 8394c8e55dce4e29a8360cb5c332b7a734c959f7 41267 puppet_2.6.4-2ubuntu2.3.debian.tar.gz
Checksums-Sha256: 
 5b92d7bd1aa12bb073dea5a4555c69500861cb1f90dc9561cb49fa0a3dd0c2fb 2296 puppet_2.6.4-2ubuntu2.3.dsc
 7643b66aea9d84388fe2216e878708b87fe31eecf193ba04304dba0cbfafa463 41267 puppet_2.6.4-2ubuntu2.3.debian.tar.gz
Files: 
 f34d0c6cc184e0bb6c1171ca6432be8e 2296 admin optional puppet_2.6.4-2ubuntu2.3.dsc
 989af13d7390e0e943f7d3817d1b6c69 41267 admin optional puppet_2.6.4-2ubuntu2.3.debian.tar.gz
Original-Maintainer: Puppet Package Maintainers <pkg-puppet-devel at lists.alioth.debian.org>


More information about the Natty-changes mailing list