[security-announce] SUSE-SU-2013:0618-1: important: Security update for puppet

[news 28]

SUSE Security Update: Security update for puppet

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2013:0618-1

Rating: important

References: #809839

Cross-References: CVE-2013-1640 CVE-2013-1652 CVE-2013-1653

CVE-2013-1654 CVE-2013-1655 CVE-2013-2274

CVE-2013-2275

Affected Products:

SUSE Linux Enterprise Server 11 SP2 for VMware

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Desktop 11 SP2

______________________________________________________________________________

 

An update that fixes 7 vulnerabilities is now available. It

includes one version update.

 

Description:

 

 

puppet has been updated to fix 2.6.18 multiple

vulnerabilities and bugs.

 

* (#19391) Find the catalog for the specified node name

* Don't assume master supports SSLv2

* Don't require openssl client to return 0 on failure

* Display SSL messages so we can match our regex

* Don't assume puppetbindir is defined

* Remove unnecessary rubygems require

* Run openssl from windows when trying to downgrade

master

* Separate tests for same CVEs into separate files

* Fix order-dependent test failure in

rest_authconfig_spec

* Always read request body when using Rack

* (#19392) (CVE-2013-1653) Fix acceptance test to catch

unvalidated model on 2.6

* (#19392) (CVE-2013-1653) Validate indirection model

in save handler

* Acceptance tests for CVEs 2013 (1640, 1652, 1653,

1654, 2274, 2275)

* (#19531) (CVE-2013-2275) Only allow report save from

the node matching the certname

* (#19391) Backport Request#remote? method

* (#8858) Explicitly set SSL peer verification mode.

* (#8858) Refactor tests to use real HTTP objects

* (#19392) (CVE-2013-1653) Validate instances passed to

indirector

* (#19391) (CVE-2013-1652) Disallow use_node compiler

parameter for remote requests

* (#19151) Reject SSLv2 SSL handshakes and ciphers

* (#14093) Restore access to the filename in the

template

* (#14093) Remove unsafe attributes from TemplateWrapper

 

Security Issue references:

 

* CVE-2013-2275

 

* CVE-2013-2274

 

* CVE-2013-1655

 

* CVE-2013-1654

 

* CVE-2013-1653

 

* CVE-2013-1652

 

* CVE-2013-1640

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 11 SP2 for VMware:

 

zypper in -t patch slessp2-puppet-7526

 

- SUSE Linux Enterprise Server 11 SP2:

 

zypper in -t patch slessp2-puppet-7526

 

- SUSE Linux Enterprise Desktop 11 SP2:

 

zypper in -t patch sledsp2-puppet-7526

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64) [New Version: 2.6.18]:

 

puppet-2.6.18-0.4.2

puppet-server-2.6.18-0.4.2

 

- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.18]:

 

puppet-2.6.18-0.4.2

puppet-server-2.6.18-0.4.2

 

- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 2.6.18]:

 

puppet-2.6.18-0.4.2

 

 

References:

 

http://support.novell.com/security/cve/CVE-2013-1640.html

http://support.novell.com/security/cve/CVE-2013-1652.html

http://support.novell.com/security/cve/CVE-2013-1653.html

http://support.novell.com/security/cve/CVE-2013-1654.html

http://support.novell.com/security/cve/CVE-2013-1655.html

http://support.novell.com/security/cve/CVE-2013-2274.html

http://support.novell.com/security/cve/CVE-2013-2275.html

https://bugzilla.novell.com/809839

http://download.novell.com/patch/finder/?keywords=bc7ffedd9ace9c95117aaf0acbf73ccc

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org