[Pkg-puppet-devel] SECURITY: Authorization vulnerability in Puppet 2.6.x

Nigel Kersten nigel at explanatorygap.net
Thu Dec 2 17:47:14 UTC 2010


On Thu, Dec 2, 2010 at 7:36 AM, micah anderson <micah at riseup.net> wrote:
>
> On Wed, 1 Dec 2010 13:06:16 -0800, Nigel Kersten <nigel at explanatorygap.net> wrote:
>> (Note the scope of this is not as bad on Debian as on some of our
>> other platforms)
>
> Indeed, I've tried this on my systems, and so far haven't been able to
> reproduce the vulnerability.

Remove auth.conf and you can. I've absolutely reproduced it on Squeeze
with 2.6.3 packages.

>
>> I'm still dealing with the fallout upstream, but can get the merge done tonight.
>
> Does this mean you are going to merge the fix into the Debian
> repository? Do you have an isolated fix that we can merge into the
> Squeeze targetted release (the squeeze-2.6.2 branch in the repository)?

Yes. I'm going to merge that now. I've been away too long and have
forgotten what all our branches are for :(



More information about the Pkg-puppet-devel mailing list