[Pkg-puppet-devel] Puppet: possible arbitrary file overwriting in lenny
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Dec 3 18:07:23 UTC 2010
On Fri, 03 Dec 2010 18:37:09 +0100, Didier Conchaudron wrote:
> Hi,
>
> It seems like that puppet package in lenny is not patched against
> CVE-2010-0156.
> According to secunia, there is also a local privileges escalation
> (http://secunia.com/advisories/36967/)
>
> I don't really the time to investigate and check if lenny version is
> really vulnerable but considering the latest entry in puppet's Changelog
> I assume that no change has been done since early 2009.
According to the security tracker [0],[1], these issues are indeed
unfixed. They are considered no-dsa, which means that they can/should
be fixed in an SPU upload if there is someone interested in doing the
work but won't be fixed via a DSA.
Mike
[0] http://security-tracker.debian.org/tracker/CVE-2009-3564
[1] http://security-tracker.debian.org/tracker/CVE-2010-0156
More information about the Pkg-puppet-devel
mailing list