[Pkg-puppet-devel] (forw) [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset supplementary groups when it switches to a different user

Micah Anderson micah at riseup.net
Thu Oct 15 20:45:58 UTC 2009 

A CVE was obtained for this puppet issue, does anyone know if this issue
could be backported to stable for a point release update?

micah


----- Forwarded message from Giuseppe Iuculano <iuculano at debian.org> -----

Sender: secure-testing-team-bounces+micah=debian.org at lists.alioth.debian.org
From: Giuseppe Iuculano <iuculano at debian.org>
Reply-To: Giuseppe Iuculano <iuculano at debian.org>, 551073 at bugs.debian.org
Subject: [Secure-testing-team] Bug#551073: CVE-2009-3564: does not reset
	supplementary groups when it switches to a different user
Date: Thu, 15 Oct 2009 14:46:35 +0200
To: Debian Bug Tracking System <submit at bugs.debian.org>
Resent-From: Giuseppe Iuculano <iuculano at debian.org>
Resent-To: debian-bugs-dist at lists.debian.org
Resent-CC: team at security.debian.org,
	secure-testing-team at lists.alioth.debian.org,
	Puppet Package Maintainers <pkg-puppet-devel at lists.alioth.debian.org>
Resent-Date: Thu, 15 Oct 2009 13:12:02 +0000
Resent-Message-ID: <handler.551073.B.12556108028185 at bugs.debian.org>
Resent-Sender: Debian BTS <debbugs at rietz.debian.org>
Resent-Date: Thu, 15 Oct 2009 13:12:05 +0000

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for puppet.

CVE-2009-3564[0]:
| puppetmasterd in puppet 0.24.6 does not reset supplementary groups
| when it switches to a different user, which might allow local users to
| access restricted files.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3564
    http://security-tracker.debian.net/tracker/CVE-2009-3564
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe


----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20091015/2fe755c9/attachment.pgp>

More information about the Pkg-puppet-devel mailing list