[Pkg-puppet-devel] Bug#890440: puppet: CVE-2017-10690

Salvatore Bonaccorso carnil at debian.org
Wed Feb 14 19:43:23 UTC 2018


Source: puppet
Version: 5.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://tickets.puppetlabs.com/browse/PUP-8225

Hi,

the following vulnerability was published for puppet.

CVE-2017-10690[0]:
| In previous versions of Puppet Agent it was possible for the agent to
| retrieve facts from an environment that it was not classified to
| retrieve from. This was resolved in Puppet Agent 5.3.4, included in
| Puppet Enterprise 2017.3.4

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10690
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10690
[1] https://tickets.puppetlabs.com/browse/PUP-8225

Please adjust the affected versions in the BTS as needed, according to
the upstream bug the issue mmight as well be present in 4.x versions
but was masked prior to 4.10.5. Is this the correct interpetation?

Regards,
Salvatore



More information about the Pkg-puppet-devel mailing list