[Pkg-puppet-devel] Puppet: possible arbitrary file overwriting in lenny

Michael Gilbert michael.s.gilbert at gmail.com
Fri Dec 3 18:07:23 UTC 2010


On Fri, 03 Dec 2010 18:37:09 +0100, Didier Conchaudron wrote:
> Hi,
> 
> It seems like that puppet package in lenny is not patched against
> CVE-2010-0156.
> According to secunia, there is also a local privileges escalation
> (http://secunia.com/advisories/36967/)
> 
> I don't really the time to investigate and check if lenny version is
> really vulnerable but considering the latest entry in puppet's Changelog
> I assume that no change has been done since early 2009.

According to the security tracker [0],[1], these issues are indeed
unfixed.  They are considered no-dsa, which means that they can/should
be fixed in an SPU upload if there is someone interested in doing the
work but won't be fixed via a DSA.

Mike

[0] http://security-tracker.debian.org/tracker/CVE-2009-3564
[1] http://security-tracker.debian.org/tracker/CVE-2010-0156



More information about the Pkg-puppet-devel mailing list