[Bug 882507] Re: Sync puppet 2.7.6-1 (main) from Debian sid (main)
Dave Walker
davewalker at ubuntu.com
Thu Oct 27 13:07:11 UTC 2011
** Changed in: puppet (Ubuntu)
Assignee: (unassigned) => Dave Walker (davewalker)
** Changed in: puppet (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: puppet (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/882507
Title:
Sync puppet 2.7.6-1 (main) from Debian sid (main)
Status in “puppet” package in Ubuntu:
In Progress
Bug description:
Please sync puppet 2.7.6-1 (main) from Debian sid (main)
The delta has dropped completely in the last release, this merits a
direct sync
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
- debian/patches/CVE-2011-3872.patch: refactor certificate handling.
- Thanks to upstream for providing the patch.
- CVE-2011-3872
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
open the file before writing to it as root
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
to drop privileges before creating the ssh directory and setting
permissions
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
use an unpredictable filename
- CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
- secure-indirector-file-backed-terminus-base-cla.patch: Since the
indirector file backed terminus base class is only used by the test
suite, remove it and update test cases to use a continuing class.
* SECURITY UPDATE: k5login can overwrite arbitrary files as root
- debian/patches/CVE-2011-3869.patch: adjust type/k5login.rb to securely
open the file before writing to it as root
- CVE-2011-3869
* SECURITY UPDATE: didn't drop privileges before creating and changing
permissions on SSH keys
- debian/patches/CVE-2011-3870.patch: adjust ssh_authorized_key/parsed.rb
to drop privileges before creating the ssh directory and setting
permissions
- CVE-2011-3870
* SECURITY UPDATE: fix predictable temporary filename in ralsh
- debian/patches/CVE-2011-3871.patch: adjust application/resource.rb to
use an unpredictable filename
- CVE-2011-3871
* SECURITY UPDATE: file indirector injection, similar to CVE-2011-3848
- secure-indirector-file-backed-terminus-base-cla.patch: Since the
indirector file backed terminus base class is only used by the test
suite, remove it and update test cases to use a continuing class.
* SECURITY UPDATE: unauthenticated directory traversal allows writing of
arbitrary files as puppet master
- debian/patches/CVE-2011-3848.patch: update lib/puppet/indirector.rb,
lib/puppet/indirector/ssl_file.rb, lib/puppet/indirector/yaml.rb,
spec/unit/indirector/ssl_file.rb and spec/unit/indirector/yaml.rb to
perform proper input validation.
- CVE-2011-3848
- LP: #861182
* Merge from debian unstable. Remaining changes:
- debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001)
- move all puppet dependencies to puppet-common since all the code
actually located in puppet-common.
- move libagueas from a recommend to a dependency.
* New upstream version
* Bump Standards-Version (no changes)
* Adjust debian/source/options to allow for a VCS-generated patch
* Tell adduser not to create /var/lib/puppet (Closes: #609896)
* Use dpkg-statoverride to handle permissions
* Allow the use of file-rc (Closes: #625638)
* Use the pkg-ruby-extras watch service
* Merge from debian unstable. Remaining changes:
- debian/puppetmaster-passenger.postinst: Use cacrl instead of hostcrl to
set the location of the CRL in apache2 configuration. Fix apache2
configuration on upgrade as well (LP: #641001)
- move all puppet dependencies to puppet-common since all the code
actually located in puppet-common.
- move libagueas from a recommend to a dependency.
>>> ENTER_EXPLANATION_HERE <<<
Changelog entries since current precise version 2.7.1-1ubuntu3.2:
puppet (2.7.6-1) unstable; urgency=high
* New upstream release (CVE-2011-3872)
* Remove cherry-picked "groupadd_aix_warning" patch
* Install all new manpages
-- Stig Sandbeck Mathisen <ssm at debian.org> Sat, 22 Oct 2011 14:08:22
+0000
puppet (2.7.5-3) unstable; urgency=low
* Generate certificate properly for puppetmaster-passenger (Closes: #645073)
* Init scripts: Remove superfluous arguments for agent and queue daemons
* Move the etckeeper hooks from puppet to puppet-common
-- Stig Sandbeck Mathisen <ssm at debian.org> Wed, 12 Oct 2011 15:43:24
+0200
puppet (2.7.5-2) unstable; urgency=low
* Add patch to fix upstream issue #9027 re manages_aix_lam warnings
* Adjust dependencies. "libstomp-ruby" renamed to "ruby-stomp"
-- Stig Sandbeck Mathisen <ssm at debian.org> Thu, 06 Oct 2011 15:24:59
+0200
puppet (2.7.5-1) unstable; urgency=low
* New upstream version
* Remove README.source, the up-to-date information is kept in
debian/control
-- Stig Sandbeck Mathisen <ssm at debian.org> Wed, 05 Oct 2011 16:36:28
+0200
puppet (2.7.3-3) unstable; urgency=high
[Micah Anderson]
* Fix SSH authorized keys symlink attack (CVE-2011-3870)
* Fix K5login content attack (CVE-2011-3869)
* Fix predictable temporary file using RAL (CVE-2011-3871)
* Fix file indirectory injection
[Stig Sandbeck Mathisen]
* Update package conflicts for puppet-el and vim-puppet (Closes: #643657)
-- Micah Anderson <micah at debian.org> Fri, 30 Sep 2011 21:08:55 -0400
puppet (2.7.3-2) unstable; urgency=high
* Resist directory traversal attacks (CVE-2011-3848)
-- Micah Anderson <micah at debian.org> Wed, 28 Sep 2011 11:00:12 -0400
puppet (2.7.3-1) unstable; urgency=low
* New upstream version
-- Stig Sandbeck Mathisen <ssm at debian.org> Tue, 16 Aug 2011 08:38:28
+0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/882507/+subscriptions
More information about the Ubuntu-sponsors
mailing list