[Git][security-tracker-team/security-tracker][master] dla: drop puppet
Sylvain Beucler (@beuc)
beuc at debian.org
Mon Dec 6 17:47:21 GMT 2021
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3239b059 by Sylvain Beucler at 2021-12-06T18:47:00+01:00
dla: drop puppet
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -46566,6 +46566,7 @@ CVE-2021-27025 (A flaw was discovered in Puppet Agent where the agent may silent
- puppet <unfixed>
[bullseye] - puppet <ignored> (Minor issue, too intrusive to backport)
[buster] - puppet <ignored> (Minor issue, too intrusive to backport)
+ [stretch] - puppet <ignored> (Minor issue, too intrusive to backport)
NOTE: https://puppet.com/security/cve/cve-2021-27025
NOTE: https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8 (6.25.1)
NOTE: Limited impact, needs a malformed custom type provider
@@ -46575,12 +46576,14 @@ CVE-2021-27023 (A flaw was discovered in Puppet Agent and Puppet Server that may
- puppet <unfixed>
[bullseye] - puppet <ignored> (Minor issue)
[buster] - puppet <ignored> (Minor issue)
+ [stretch] - puppet <ignored> (Minor issue)
NOTE: https://puppet.com/security/cve/cve-2021-27023
NOTE: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 (6.25.1)
NOTE: Marginal/unclear security implications, the redirects are fully under control of
NOTE: the puppet masters and the advisory states this CVE would be similar to CVE-2018-1000007,
NOTE: but CVE is for curl, which obviously has different scope being a library. Plus, all
NOTE: reasonably secure installations use client auth on the agents
+ NOTE: Previous client code in lib/puppet/network/http/connection.rb also vulnerable
CVE-2021-27022 (A flaw was discovered in bolt-server and ace where running a task with ...)
- puppet <not-affected> (Only affects Puppet Enterprise)
NOTE: https://puppet.com/security/cve/CVE-2021-27022/
=====================================
data/dla-needed.txt
=====================================
@@ -67,9 +67,6 @@ nvidia-graphics-drivers (Markus Koschany)
pgbouncer (Thorsten Alteholz)
NOTE: 20211128: also help with other releases
--
-puppet (Sylvain Beucler)
- NOTE: please recheck whether really affected
---
rustc (Roberto C. Sánchez)
NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
NOTE: https://bugs.debian.org/928422
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211206/a488edb8/attachment.htm>
More information about the debian-security-tracker-commits
mailing list