[Pkg-puppet-devel] CVE-2012-3408 Puppet allows agents with certnames of IP addresses to be impersonated
Sven Mueller
sven at incase.de
Tue Jul 17 12:36:33 UTC 2012
On 07/16/2012 12:51 PM, Henri Salo wrote:
> On Thu, Jul 12, 2012 at 10:59:08AM +0200, Stig Sandbeck Mathisen wrote:
>> Henri Salo <henri at nerv.fi> writes:
>>
>>> There is security vulnerability in Puppet. Could you tell me if Puppet
>>> packages in Debian are vulnerable or not? I can create bug-report of
>>> this if needed. I already added this to Debian security tracker.
>>>
>>> CVE-2012-3408
>>> http://puppetlabs.com/security/cve/cve-2012-3408/
>> That issue is fixed in the 2.7.18-1 upload to unstable and in
>> 2.6.2-5+squeeze6 upload to stable-security, along with CVE-2012-3864,
>> CVE-2012-3865, CVE-2012-3866 and CVE-2012-3867 which those uploads
>> mention.
>>
>> --
>> Stig Sandbeck Mathisen <ssm at debian.org>
> Could you tell me in which patch CVE-2012-3408 was fixed exactly and how? I would like to verify this issue as I see this as critical security vulnerability.
>
According to the upstream announcements, this was "fixed" with a
deprecation warning. Upstream sees this as a low risk vulnerability and
also regarded IP based certificates as having always been discouraged. I
didn't check the source to verify this. Stig might know more.
Regards,
Sven
More information about the Pkg-puppet-devel
mailing list