[Pkg-puppet-devel] Bug#890440: puppet: CVE-2017-10690
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 14 19:43:23 UTC 2018
Source: puppet
Version: 5.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://tickets.puppetlabs.com/browse/PUP-8225
Hi,
the following vulnerability was published for puppet.
CVE-2017-10690[0]:
| In previous versions of Puppet Agent it was possible for the agent to
| retrieve facts from an environment that it was not classified to
| retrieve from. This was resolved in Puppet Agent 5.3.4, included in
| Puppet Enterprise 2017.3.4
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10690
[1] https://tickets.puppetlabs.com/browse/PUP-8225
Please adjust the affected versions in the BTS as needed, according to
the upstream bug the issue mmight as well be present in 4.x versions
but was masked prior to 4.10.5. Is this the correct interpetation?
Regards,
Salvatore
More information about the Pkg-puppet-devel
mailing list