[Pkg-puppet-devel] Bug#712745: Bug#712745: Bug#712745: puppet: CVE-2013-3567

Raphael Geissert geissert at debian.org
Tue Aug 20 10:18:00 UTC 2013


Hi Chris,

On 20 August 2013 11:22, Chris Boot <crb at tiger-computing.co.uk> wrote:
> The issue was causing reports from squeeze machines (running
> 2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy
> version of Puppet, causing invalid reports to be stored to disk and sent
> to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet
> master causes valid reports to be stored on disk and sent to Dashboard
> with no changes to the slave nodes.

Er, that's a weird combination of versions, but in any case with the
patch you sent you are downgrading puppet 2.7's report format from
version 2 (3 actually) to version 1.

I personally don't think this has anything to do with the security
update and I'd rather look into the consumer of the reports (puppet
dashboard in this case). Temporarily downgrading to the version prior
the DSA could allow you to confirm whether this is in fact a
regression.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net



More information about the Pkg-puppet-devel mailing list